From 10bc971d461d841c6861afee460eb48645ebf3ac Mon Sep 17 00:00:00 2001 From: chgue Date: Sun, 8 Dec 2019 14:15:40 +0100 Subject: [PATCH] Update old writeups, add ctfzone writeup. --- writeups/chgue/ctfzone19.md | 97 +++++++++++++++++++++++++++++++++++ writeups/chgue/seccon19.md | 11 ++-- writeups/chgue/tasteless19.md | 2 + 3 files changed, 106 insertions(+), 4 deletions(-) create mode 100644 writeups/chgue/ctfzone19.md diff --git a/writeups/chgue/ctfzone19.md b/writeups/chgue/ctfzone19.md new file mode 100644 index 0000000..e696136 --- /dev/null +++ b/writeups/chgue/ctfzone19.md @@ -0,0 +1,97 @@ +# Retrospective +This CTF was not really fun. It felt like _a lot_ of guesswork (at least the web challenges that I attempted). + +At first I tried chicken together with @theguy, but the obvious vulnerability did not help us to find anything. Instead we wasted a few hours trying to find a hint in the filesystem. In total I spent about 2 hours. + +On the second day I tried to help with bathhouse. @lavish and @smashing already did most of the interesting stuff (SQLi and PDF writer exploitation). It seemed like the challenge is almost done and one just needs to find the next hint in the filesystem (again...). However, I spent around 5 hours finding nothing of interest until @lavish used `dirbuster` to find the next hint... After we had the correct paths it took about 30 minutes to find the next and final hint. + +# bathhouse (solved) +## Overview +Given is a django-based webpage of a bathhouse. One can book a bathhouse by filling out a form. The form consists of a radio button selector, a hours number field, a phone number fild and a username text field. + +## Exploit +The username field allows for SQL to be injected. @lavish created a script to run a blind SQLi and found a table called `backup` which contains the columns `username` and `password`. The only row contained `main_admin_user` and `njafnGAJNSGAkn123`. These credentials can be used to login at `http://web-bathhouse.ctfz.one/set_price/`. This page can be found in the `robots.txt` which contains + + User-Agent: * + Disallow:/set_price/ + +When logged in one sees the last request submitted through the booking form including all the given information. Additionally, a number input is given where the admin can set the price for the request. On submission of the price a PDF booking confirmation is generated using `wkhtmltopdf 0.12.1`. Instead of a price one can inject HTML which will be rendered in the PDF. Therefore, it is possible to include JavaScript to read local files. + + + +However, reading directories is not possible. How can one find an interesting file to read? Well after spending hours searchin for the next hint, @lavish found the `http://web-bathhouse.ctfz.one/status/` page by using `dirbuster`.The page has the following contents which hint at interesting directories: + + Status page + + Web app folder: /opt/project/ + Submodules: task, calculate + + Everything works correctly (200) + +The project is implemented in a typical django fashion. The next hint is included in `/opt/project/calculate/views.py`. Apart from the other views, the file includes the following comments + + # def sync(request): # Get sync data by http request. #syncData('http://syncdata/sync.html') + +Curiously enough, using the above script does not work for fetching `http://syncdata/sync.html`. However, an iframe works + +

Report Heading