vicevirus’ Blog

On 19th December of 2022, my team and I were qualified to compete in the finals rounds of I-Hack 2022 after succesfully secured the top 20 places among the participating teams in the pre-qualification round.

The CTF challenge was held for 24 hours and uses the format of Attack and Defense which is unusual for any CTF that I’ve been - which usually is in Jeopardy. In attack and defense, every player were given their own servers filled with vulnerabilities. Players must exploit each other’s servers and patch their own vulnerabilities to gain points.

This was my third time participating in a Capture the Flag (CTF) cybersecurity event. During this CTF challenge, I noticed there were lots of shortcomings and things that I didnt know yet. Especially in the areas of reverse engineering (RE).

My team and I have only completed 2 challenges out of all the challenges and we have secured 9th place out of 22 participating teams. Overall it was a good learning and competitive experience.

1. Browse to the /var/www/html and you will find a readlyst folder. Inside the folder, you will find various kinds of files such as registration, login, update, etc.
2. First thing that I will inspect is the registration page, to see how users are able to do registration. 

   

3. Here, we could see that the registered password is stored in SHA1 which I believe is unsafe and vulnerable.
4. Then, we browsed into the includes folder… 

   

5. and we found config.php which has the details to database connection.
6. Next, we tried to register an account on the website. It was successful and we were able to put anything other than emails in the email field. (There were no validation)
7. Then, we tried logging in to MySQL using the stated credentials inside config.php. We found a table named users and tried to take a look at it. We use select * from users to fetch the users’ data inside the table. 

   

8. What we found was the user that we have created existed in the database. And the column role looks interesting. We took the chance to get one of the passwords stored in the database and tried to run bruteforce using John the Ripper with rockyou wordlist.
9. We took fabio.moretzsohn@readlyst.io password for this one.

   

10. And we found a match for the SHA1 stored password!
11. Then, we tried logging in to the website and it was successful! 

    

12. We explored almost every part of the website and we found an interesting place for us to upload an RCE payload. 

    

13. We found that author/books/update.php does not check for file extensions or MIME. It will allow any file to be uploaded to the server. In this case, we crafted a payload and uploaded a .php file through the upload field to the server. 

    

14. And done! We have successfully uploaded the payload to the server. Successful upload of the shell

    

15. We could access our payload through /cover/ folder and send a GET request for /var/flag execution. And we found the flag! 

    

Updated the code with file type exclusion.

$allowed_file_types stated above will only allow JPEG and PNG to be uploaded. $detected_file_type will check what kind of file to be uploaded.

If the file is not in the allowed file types, they will not be uploaded.

We use the payload uploaded to use the cp command to copy patch.php file from /cover/ folder to replace ../author/books/update.php

cp patch.php ../author/books/update.php

1. The way we found this flag is by sniffing the network of players trying to attack our server. We set up a tcpdumppipe to write .pcap file directly onto our own laptop. 

   

2. I’ll leave another one here from my FAUSTCTF 2023 (newly edited)

sudo tcpdump -i wg-faustctf -w - not port 22 | ssh vicevirus@fd66:666:364:ffff::1000 'tcpdump -r - -w /home/vicevirus/Downloads/tulip/services/temp_pcap/capture_%H_%M_%S.pcap -G 1 -vvv -s 1 -Z vicevirus'

1. This line of command is quite unsafe because we are using our root directly to write files locally from outside. We analyzed the packet captured using tulip. And we found attacks toward our port 9090. 

   

2. From there, we learned that to get the flag we just have to input the correct words.

   

3. Then, we tried to run our own attacks replicating what the attacks before did. And we found the flag!

Thanks for reading my writeup!