2008-09-10:

Security Days 6, day 1 - solution

security:easy
The second part of the first phase of SD6 started this evening, so I can finally write something about the first part.

The first "quest" was to get access to admin panel in a website made especially for the tournament. The site had just a few links, that looked like this:

?page=b2ZlcnRh - "offer" section (PL: oferta)
?page=a29udGFrdA== - "contact" section (PL: kontakt)
?page=b2Zpcm1pZQ== - "about the company" section (PL: o firmie)

It's easy to figure out that the params value is base64 encoded. After the decode we get "oferta", "kontakt" and "ofirmie" (see the PL words in the brackets above). A simple LFI test (which was adding a ./ to the beginning of page name, i.e. "./oferta") showed that an LFI (Local File Inclusion) is in fact present. Another test confirmed that there is no filtering, so poison NUL byte may work. This test worked this way - I tried to get to know the extension of the file, using the nul byte poison, and encoding some different extensions like this: base64("oferta.htm\0"), base64("oferta.html\0"), base64("oferta.txt\0"), and so on. I found out that the extension is .inc, and that it is not really needed to get the task done (but it confirmed that nul byte works). OK, something can be included. Now let's find something to include &;gt;

This was the right moment to find the admin panel by checking the standard places - ?page=base64("admin"), /admin.php, /admin, /admin.html, and so on. The panel was places in the /admin directory, and it was defended by Basic Auth HTTP, using the .htaccess+.htpasswd apache mechanism.

Well, using the above LFI to include /admin/.htpasswd (page files were in a subdirectory, so the total path went like this: "../admin/.htpasswd\0") I got myself a hash of a password. John dealt with the password very quick, and I found it to be abc123. Now just a fast logon on the panel (user was admin) and the task is done.

I'll add that few guys just guessed the password for the admin panel (well abc123 isn't hard to guess, now is it?) or used a dictionary attack. Well, every method that works is a good method.

My personal solution time: 20 minutes

Another thing to add is that few guys had problems with proper \0 encoding in base64 - well, I have to remember to double check the encoder I use (luckily I used python, and it did a good job).

The task was imho ideal for the first day. The second days (that would be today) task is a little more interesting, but I'll have to wait with the description till tomorrow =^^=

Add a comment:

Nick:
URL (optional):
Math captcha: 9 ∗ 9 + 4 =