From 447b88a2b61e037f9ece88e4a561d65e79856519 Mon Sep 17 00:00:00 2001 From: Ivaylo Ivanov Date: Sun, 24 Nov 2019 21:10:21 +0100 Subject: [PATCH] Add asis2019 writeup --- writeups/ifkata/asis2019.md | 111 ++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 writeups/ifkata/asis2019.md diff --git a/writeups/ifkata/asis2019.md b/writeups/ifkata/asis2019.md new file mode 100644 index 0000000..08d2713 --- /dev/null +++ b/writeups/ifkata/asis2019.md @@ -0,0 +1,111 @@ +# ASIS CTF 2019 +## Overview + +Overall, ASIS CTF was quite an enjoyable experience for me. +The challenges were interesting and required a lot of team effort to be solved, which I really liked. +That is why when I refer to "we" in the writeup, I mean me and the other studets that took part in the challenges and the Mattermost discussions. + +For this CTF, I decided that I wanted to play only web challenges and that is why all of the challenges +in this writeup are web-based. + +## Attempted Challenges +### Protected Area (Web) - SOLVED + +#### Overview +The challenge was interesting, because it was not the typical web challenge that I was used to. + +#### Gathering information +The website consisted of a plain HTML page with no inputs, no styling and no login forms. This could exclude XSS and SQL injection, but I was not quite sure yet. + +The first thing I did is to study the page: I found a JS script that made requests to an endpoint and returned the content of remote files. +I also found out what functions are included and that the following requests were being made on page load: +``` +http://66.172.33.148:8008/check_perm/readable/?file=public.txt +http://66.172.33.148:8008/read_file/?file=public.txt +``` + +Starting from there, I found out that the backend is written in Python (the `/check_perm` endpoint returns `True` for boolean - +doesn't necessarily mean it was Python, but it was worth a shot) that opens only `*.txt` files on the server. + +That is when I was convinced that the intended exploit was some sort of path traversal. + +#### Exploiting +Being the script kiddie I am, I tried scanning the page with [dirbuster](https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project) and got rate limited :). + +While being rate limited, I researched for any vulnerabilities in the nginx and jquery versions, +but both of them were quite recent and nothing of worth was found. + +When I got unbanned, I thought it was a good idea to try to inject python code (to use environment variables such as `$HOME`) +but this was not successful, because the code got converted to string. + +When code injection was not possible, I tried doing path traversal to find out that `../` and `./` are ignored, even when URI-encoded. + +We found out that the `/read_file` endpoint always returns `security` if the request does not end in `.txt`. +We used that and added a parameter that ends with `.txt` and we were able to read other files. + +Knowing that the application was written in Python, we managed to read `app.py` and find a +file called `api.py` which showed us the URL of the protected area. + +Apart from the protected area, `api.py` also showed us that the files `config.py` and `functions.py` existed. +In `config.py`, we found the admin password and a secret which would later on be used to login to the protected area. +In `functions.py`, we found out how the login gets checked. +We used that and the credentials we had found previously to get the flag. + +### Protected Area 2 (Web) + +#### Overview +The challenge was sort of similar to Protected Area, but we didn't manage to solve it. + +#### Gathering information +At first glance, the page looks more or less the same: same HTML page and `public.txt` contains the same content as before. + +The JavaScript code was a little different, though, and mentioned `private.txt`, +which contained a link to a docker repository (https://github.com/tiangolo/uwsgi-nginx-flask-docker), possibly used for the challenge. + +As expected, the trick with reading the files from the previous challenge didn't work. + +Part of the information gathering was starting a container with the image +from above localyy, so that I could gather a better overview of the file structure. + +#### Exploiting +The first thing I did was to try and find out if there are `docker-compose` files available - +no success as the `/check_perm/readable` endpoint, which I used to determine if certain files existed and were readable, didn't find anything. + +After that I tried scanning the docker image from above for vulnerabilities with [Clair](https://github.com/quay/clair), +but nothing of interest was found. + +Using the endpoint from above and path traversal (`../` was not escaped here), +I found out that we have the permission to read the nginx configuration and `app.py`. + +We then found that we could read files by making requests like the following one: +``` +curl -v http://66.172.33.148:5008/check_perm/read/?file=../app/main.py +``` + +Using the request from above, I found out that there is a `config.py` file in `/opt/py/app` which had inside where the flag is. + +The flag was surely a file, but it was not readable. + +I tried playing with the different endpoints but I didn't manage to open the file and the time for the CTF ran out. + +### ShareL (Web) + +#### Overview +The last challenge was marked as web, but it should have been marked as binary instead. + +I started the ShareL as a way to distract myself from the protected areas, +but I hit so many problems in the information gathering phase that I decided to ditch it and continue with the other challenges. + +#### Gathering information +The application consisted of a single `apk` file, which apparently was a link-sharing system. + +I started an Android VM to test the app, but after installing it, the app only returned an error and nothing more. +I tried launching different architectures and using physicall devices that I had lying around, but nothing worked. + +I then decompiled the binary using [apktool](https://ibotpeaches.github.io/Apktool/) to see what I could find. +I found the directory `smali/com/asisctf/ShareL` which contained different `smali` files but they weren't useful to me +as I don't know anything how to read them. + +After hours spent on pointless browsing through the decompiled files and trying different ways to install the application, I gave +up and returned to the protected areas. + -- 2.43.0