From 82777fa3c4364076bf305eb2b138ede4da2fd668 Mon Sep 17 00:00:00 2001 From: Daniel Fangl Date: Sun, 26 Jan 2020 02:09:28 +0100 Subject: [PATCH] Add hxp36c3 writeup --- writeups/ginkor/hxp36c3.md | 117 +++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 writeups/ginkor/hxp36c3.md diff --git a/writeups/ginkor/hxp36c3.md b/writeups/ginkor/hxp36c3.md new file mode 100644 index 0000000..77dc3fe --- /dev/null +++ b/writeups/ginkor/hxp36c3.md @@ -0,0 +1,117 @@ +# HXP 36c3 CTF - WriteUpBin challenge + +The WriteupBin challenge was from HXP 36c3 ctf, which took place from 27. until 29.12.2019. +It was a web challenge, and ended with 13 solves. +Its given description was: +> Finally (again), a minimalistic, open-source social writeup hosting solution. + +## General information about the challenge + +The web service given for this challenge was, as said, a writeup hosting solution, which offered a text field to put writeups in, and generated URLs for them, to be shared with other people. +A docker container, containing the website source including a python script for the admin behaviour, was already given, which enables us to create a local environment to test our solution on, including a docker run command in the first line of the dockerfile, which runs the container as intended for the challenge (including starting the admin script). + +## My own (failed) attempt and information gathering + +Since I was nowhere with a somewhat decent internet connection at the time of me taking the challenge, I only tried solving the challenge locally using the provided docker environment, and also wasn't able to get any information by others using mattermost. +It was still lucky that the docker environment was available, since without it I could not have worked on it at all. +So all of the following "my own attempts" where conducted locally, not on the given server. +Starting the challenge up locally was easy enough after I found the correct command to start docker in the Dockerfile (just building and starting it with exposed ports does not start the admin.py file). + +### First analysis of the challenge + +The challenge consists of a website, with a greetings message, identifing me by some 16 character hex string, and a text input field to submit your writeups. +After submitting a demo writeup (which had to be at least 140 characters), the writeup was listed under the previously empty "Your writeups" section of the site, under a 16 character long hex id. +When you click on it (or right after you submitted it), you will be forwarded to the `/show.php?id=5a79cb3347d78b9d` site, where you can like the writeup, and show it to the admin, which then likes the writeup as well. +While guessing that the admin, most likely has the flag either as ID or as writeup, I assumed a good next step would be testing if I can view other writeups as well. +You can also see who liked your writeup, and the admin user was called "admin", so the flag would most likely be in a writeup. + +By a look at the cookies saved by the site (to check how the site knows which user you are), I saw a PHPSESSID cookie, which (without yet looking at the code) hinted that it used PHP sessions as "authentication", to be able to list your own writeups. +I used the inkognito mode of chrome to get another session, which of course had an empty writeup list then, and tried to access my previously created writeups, with success. + +By looking at the source code of the application, and its db.sql file, the earlier suspicion that the flag was in a writeup was confirmed, and the writeup id gets generated by the command used to start docker, and is a random 16 character hex string. Also, there is only one writeup generated for the admin. + +To wrap it up: + +* Flag is stored under admin user with randomly generated 16 character hex ID +* You can access any writeups you want, if you know the ID +* Admin likes your writeup upon request, has username "admin" +* A list of your own writeups gets displayed on the site even if looking at another writeup +* The admin only has one writeup, which contains the flag + +### Attempting to solve the challenge + +Bruteforcing the value is not feasable, since there are 16^16 possibilities, or with a decimal base, 10^19, which would take way to long and overload the server in any case. My first attempt for an XSS injection was simple, just enter a `