From 447b88a2b61e037f9ece88e4a561d65e79856519 Mon Sep 17 00:00:00 2001
From: Ivaylo Ivanov <me@ivayloivanov.eu>
Date: Sun, 24 Nov 2019 21:10:21 +0100
Subject: [PATCH] Add asis2019 writeup

---
 writeups/ifkata/asis2019.md | 111 ++++++++++++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)
 create mode 100644 writeups/ifkata/asis2019.md

diff --git a/writeups/ifkata/asis2019.md b/writeups/ifkata/asis2019.md
new file mode 100644
index 0000000..08d2713
--- /dev/null
+++ b/writeups/ifkata/asis2019.md
@@ -0,0 +1,111 @@
+# ASIS CTF 2019
+## Overview
+
+Overall, ASIS CTF was quite an enjoyable experience for me.
+The challenges were interesting and required a lot of team effort to be solved, which I really liked.
+That is why when I refer to "we" in the writeup, I mean me and the other studets that took part in the challenges and the Mattermost discussions.
+
+For this CTF, I decided that I wanted to play only web challenges and that is why all of the challenges
+in this writeup are web-based.
+
+## Attempted Challenges
+### Protected Area (Web) - SOLVED
+
+#### Overview
+The challenge was interesting, because it was not the typical web challenge that I was used to.
+
+#### Gathering information
+The website consisted of a plain HTML page with no inputs, no styling and no login forms. This could exclude XSS and SQL injection, but I was not quite sure yet.
+
+The first thing I did is to study the page: I found a JS script that made requests to an endpoint and returned the content of remote files.
+I also found out what functions are included and that the following requests were being made on page load:
+```
+http://66.172.33.148:8008/check_perm/readable/?file=public.txt
+http://66.172.33.148:8008/read_file/?file=public.txt
+```
+
+Starting from there, I found out that the backend is written in Python (the `/check_perm` endpoint returns `True` for boolean -
+doesn't necessarily mean it was Python, but it was worth a shot) that opens only `*.txt` files on the server.
+
+That is when I was convinced that the intended exploit was some sort of path traversal.
+
+#### Exploiting
+Being the script kiddie I am, I tried scanning the page with [dirbuster](https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project) and got rate limited :).
+
+While being rate limited, I researched for any vulnerabilities in the nginx and jquery versions,
+but both of them were quite recent and nothing of worth was found.
+
+When I got unbanned, I thought it was a good idea to try to inject python code (to use environment variables such as `$HOME`)
+but this was not successful, because the code got converted to string.
+
+When code injection was not possible, I tried doing path traversal to find out that `../` and `./` are ignored, even when URI-encoded.
+
+We found out that the `/read_file` endpoint always returns `security` if the request does not end in `.txt`.
+We used that and added a parameter that ends with `.txt` and we were able to read other files.
+
+Knowing that the application was written in Python, we managed to read `app.py` and find a
+file called `api.py` which showed us the URL of the protected area.
+
+Apart from the protected area, `api.py` also showed us that the files `config.py` and `functions.py` existed.
+In `config.py`, we found the admin password and a secret which would later on be used to login to the protected area.
+In `functions.py`, we found out how the login gets checked.
+We used that and the credentials we had found previously to get the flag.
+
+### Protected Area 2 (Web)
+
+#### Overview
+The challenge was sort of similar to Protected Area, but we didn't manage to solve it.
+
+#### Gathering information
+At first glance, the page looks more or less the same: same HTML page and `public.txt` contains the same content as before.
+
+The JavaScript code was a little different, though, and mentioned `private.txt`,
+which contained a link to a docker repository (https://github.com/tiangolo/uwsgi-nginx-flask-docker), possibly used for the challenge.
+
+As expected, the trick with reading the files from the previous challenge didn't work.
+
+Part of the information gathering was starting a container with the image
+from above localyy, so that I could gather a better overview of the file structure.
+
+#### Exploiting
+The first thing I did was to try and find out if there are `docker-compose` files available -
+no success as the `/check_perm/readable` endpoint, which I used to determine if certain files existed and were readable, didn't find anything.
+
+After that I tried scanning the docker image from above for vulnerabilities with [Clair](https://github.com/quay/clair),
+but nothing of interest was found.
+
+Using the endpoint from above and path traversal (`../` was not escaped here),
+I found out that we have the permission to read the nginx configuration and `app.py`.
+
+We then found that we could read files by making requests like the following one:
+```
+curl -v http://66.172.33.148:5008/check_perm/read/?file=../app/main.py
+```
+
+Using the request from above, I found out that there is a `config.py` file in `/opt/py/app` which had inside where the flag is.
+
+The flag was surely a file, but it was not readable.
+
+I tried playing with the different endpoints but I didn't manage to open the file and the time for the CTF ran out.
+
+### ShareL (Web)
+
+#### Overview
+The last challenge was marked as web, but it should have been marked as binary instead.
+
+I started the ShareL as a way to distract myself from the protected areas,
+but I hit so many problems in the information gathering phase that I decided to ditch it and continue with the other challenges.
+
+#### Gathering information
+The application consisted of a single `apk` file, which apparently was a link-sharing system.
+
+I started an Android VM to test the app, but after installing it, the app only returned an error and nothing more.
+I tried launching different architectures and using physicall devices that I had lying around, but nothing worked.
+
+I then decompiled the binary using [apktool](https://ibotpeaches.github.io/Apktool/) to see what I could find.
+I found the directory `smali/com/asisctf/ShareL` which contained different `smali` files but they weren't useful to me
+as I don't know anything how to read them.
+
+After hours spent on pointless browsing through the decompiled files and trying different ways to install the application, I gave
+up and returned to the protected areas.
+
-- 
2.43.0