Security Days 6, day 1 - solution - gynvael.coldwind//vx.log

Return to dashboard ⇪

Sections

lang: |
RSS: |
About me
Tools
→ YT YouTube (EN)
→ D Discord
→ M Mastodon
→ T Twitter
→ GH GitHub

My company's website

27-28 May 2024
Kraków (Poland)

Paged Out! zine

Dragon Sector CTF Team

Links / Blogs

Posts

// copyright © Gynvael Coldwind
// design & art by Xa
// logo font (birdman regular) by utopiafonts / Dale Harris

/* the author and owner of this blog hereby allows anyone to test the security of this blog (on HTTP level only, the server is not mine, so let's leave it alone ;>), and try to break in (including successful breaks) without any consequences of any kind (DoS attacks are an exception here) ... I'll add that I planted in some places funny photos of some kittens, there are 7 of them right now, so have fun looking for them ;> let me know if You find them all, I'll add some congratz message or sth ;> */

Vulns found in blog:
* XSS (pers, user-inter) by ged_
* XSS (non-pers) by Anno & Tracerout
* XSS (pers) by Anno & Tracerout
* Blind SQLI by Sławomir Błażek
* XSS (pers) by Sławomir Błażek

2008-09-10:

Security Days 6, day 1 - solution

security:easy

The second part of the first phase of SD6 started this evening, so I can finally write something about the first part.

The first "quest" was to get access to admin panel in a website made especially for the tournament. The site had just a few links, that looked like this:

?page=b2ZlcnRh - "offer" section (PL: oferta)
?page=a29udGFrdA== - "contact" section (PL: kontakt)
?page=b2Zpcm1pZQ== - "about the company" section (PL: o firmie)

It's easy to figure out that the params value is base64 encoded. After the decode we get "oferta", "kontakt" and "ofirmie" (see the PL words in the brackets above). A simple LFI test (which was adding a ./ to the beginning of page name, i.e. "./oferta") showed that an LFI (Local File Inclusion) is in fact present. Another test confirmed that there is no filtering, so poison NUL byte may work. This test worked this way - I tried to get to know the extension of the file, using the nul byte poison, and encoding some different extensions like this: base64("oferta.htm\0"), base64("oferta.html\0"), base64("oferta.txt\0"), and so on. I found out that the extension is .inc, and that it is not really needed to get the task done (but it confirmed that nul byte works). OK, something can be included. Now let's find something to include &;gt;

This was the right moment to find the admin panel by checking the standard places - ?page=base64("admin"), /admin.php, /admin, /admin.html, and so on. The panel was places in the /admin directory, and it was defended by Basic Auth HTTP, using the .htaccess+.htpasswd apache mechanism.

Well, using the above LFI to include /admin/.htpasswd (page files were in a subdirectory, so the total path went like this: "../admin/.htpasswd\0") I got myself a hash of a password. John dealt with the password very quick, and I found it to be abc123. Now just a fast logon on the panel (user was admin) and the task is done.

I'll add that few guys just guessed the password for the admin panel (well abc123 isn't hard to guess, now is it?) or used a dictionary attack. Well, every method that works is a good method.

My personal solution time: 20 minutes

Another thing to add is that few guys had problems with proper \0 encoding in base64 - well, I have to remember to double check the encoder I use (luckily I used python, and it did a good job).

The task was imho ideal for the first day. The second days (that would be today) task is a little more interesting, but I'll have to wait with the description till tomorrow =^^=

Nick:
URL (optional):
Math captcha: 1 ∗ 7 ＋ 6 =

Sections

Links / Blogs

Posts

Security Days 6, day 1 - solution

Add a comment: