From c6da1dac470e42f59a884cf0f5195aae09b38ded Mon Sep 17 00:00:00 2001
From: Ivaylo Ivanov <me@ivayloivanov.eu>
Date: Sat, 18 Jan 2020 19:43:48 +0100
Subject: [PATCH] Add hxp36c3 writeup and fix seccon formatting

---
 writeups/ifkata/hxp36c3.md  | 75 +++++++++++++++++++++++++++++++++++++
 writeups/ifkata/seccon19.md | 22 +++++------
 2 files changed, 86 insertions(+), 11 deletions(-)
 create mode 100644 writeups/ifkata/hxp36c3.md

diff --git a/writeups/ifkata/hxp36c3.md b/writeups/ifkata/hxp36c3.md
new file mode 100644
index 0000000..33e571d
--- /dev/null
+++ b/writeups/ifkata/hxp36c3.md
@@ -0,0 +1,75 @@
+# hxp 36C3
+## Overview
+I found the CTF really interesting, but also frustrating.
+I decided to focus only on includer, as it seemed intriguing and complex enough to do so.
+Tackling the challenge was again a team effort, but unfotunately we couldn't solve it.
+
+
+## Attempted challenges
+### includer-web
+#### Overview
+The challenge consisted of a simple page which said "Hello, your sandbox is <insert_random_bytes_here>".
+There was no JavaScript, no styling, no input.
+
+#### Research
+The first thing I did was to look into the provided files. Thus, I found the following information:
+* the thing runs in a debian buster docker container, behind an nginx web server.
+* a filename can be POSTed and the file will be evaluated if it does not start with `<?`
+* file uploads are disabled in www.conf
+* the `readflag` binary will be run with effective gid `1337`
+* the sandbox is included as a `TMPDIR` in the server environment. This means that temporary files uploaded to the site will be stored there.
+
+#### Exploiting
+When exploiting, I started with the basic stuff. First, I built the docker image, started the container and checked for anything useful.
+
+I then read the documentation of PHP `include_once` to see exactly what we could include. My hopes were that we could
+trigger a remote file inclusion, as file upload was disabled and we cannot upload files from anywhere in the page (at first glance).
+That is why I researched if we could include files from URLs. Normally,
+`include_once` allows that but unfortunatelly, the setting `allow_url_include` is `false`
+by default and it had not been changed so that was not possible.
+
+
+Then, Hetti pointed us to `CVE-2019-11043`, which allows us to exploit remote code execution:
+https://github.com/neex/phuip-fpizdam
+https://github.com/theMiddleBlue/CVE-2019-11043/blob/master/exploit.py
+
+I tried running a couple of prepared exploits against the service, but they didn't work.
+At first, I thought that there was something wrong with the exploits themselves and started checking and debugging theMiddleBlue's exploit.
+This attempt didn't result in anything useful.
+Later on, after some digging in the container itself, I found out that `CVE-2019-11043` cannot be used because:
+* nginx had the required configuration fixes applied
+* the PHP version was the patched one
+
+Additionally, after some time the creator of the challenge told us that the CVE was indeed not the intended exploit.
+
+
+After the disappointment that the CVE was, I decided to see exactly what we could read.
+First, I tried posting a filename and this discovered that we can read files.
+Later on, I discovered that we are restricted to reading files from `/var/www/html`, meaning that calling `/readflag` was not possible.
+
+Finally, in acts of desperation I researched for PHP 7.3.11 and nginx 1.14.2 vulnerabilities, but I couldn't find anything useful.
+
+#### Takeaways
+The solution of includer can be found [here](https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer).
+Unfortunately, we could not figure that ourselves as we were kind of concentrated on exploiting the CVE from above.
+
+As a takeaway from this challenge, I would list:
+* not focusing too much on a single exploit
+* reading not only the documentation of the languages, that the services are written in, but also the source code of the language itself=
+
+### file-magician-web
+#### Overview
+I started this challenge in an attempt to distract myself from `includer` as I had wasted a lot of time there and was burning out.
+In the end, I left this one in order to continue working on the other challenge.
+
+#### Research
+The site had a basic file upload function and again runs in a docker container.
+
+The script places the flag in a file with a predictable and random part of the name.
+
+It also creates a sqlite database for every session and it saves data about the uploaded files there.
+
+I also checked whether or not it would be a problem to do path traversal and found out that it would not be a problem,
+seeing that the script was not limited to the web root only as it was the case with `includer`.
+
+I left the challenge after the research phase as it did not interest me so much and I wanted to work on `includer`.
diff --git a/writeups/ifkata/seccon19.md b/writeups/ifkata/seccon19.md
index 72acc10..9cf6f7c 100644
--- a/writeups/ifkata/seccon19.md
+++ b/writeups/ifkata/seccon19.md
@@ -1,6 +1,6 @@
 # Seccon: misc-sandstorm
 
-The task was chosen, because it seemed interesting at first and I have never seen such a challenge before. 
+The task was chosen, because it seemed interesting at first and I have never seen such a challenge before.
 
 ### Status: not solved
 
@@ -28,9 +28,9 @@ Generally, I found out that there could be 5 ways of hiding data in the image:
     xdd sandstorm.png
     ```
 
-4. Checking what bitwalk could extract and analyzing the extracted files
+4. Checking what binwalk could extract and analyzing the extracted files
     ```
-    $ bitwalk -e sandstorm.png
+    $ binwalk -e sandstorm.png
     -rw-r--r-- 1 ivo ivo     0 Oct 19 18:14 3B
     -rw-r--r-- 1 ivo ivo 63456 Oct 19 18:14 3B.zlib
     $ zlib-flate -uncompress < 3B.zlib
@@ -39,15 +39,15 @@ Generally, I found out that there could be 5 ways of hiding data in the image:
 
 5. I analyzed the RGBA Values of the image and checked if I could find something there. I used https://georgeom.net/StegOnline/ for this
 
-6. Using (Stegsolve)[https://en.kali.tools/all/?tool=1762] I tried changing the different image channels in case something was there
+6. Using [Stegsolve](https://en.kali.tools/all/?tool=1762) I tried changing the different image channels in case something was there
 
 7. Again, using Stegsolve I tried changing to different bit planes and checking out the result
 
-8. Using (zsteg)[https://github.com/zed-0xff/zsteg] I tried exploring the file a little further and I found out this:
-```
-b1,r,msb,xy         .. text: "SEF:\r$CW"
-b3,rgba,lsb,xy      .. file: MPEG ADTS, AAC, v4 Main, 88.2 kHz, stereo+center+LFE
-b4,rgb,lsb,xy       .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
-```
+8. Using [zsteg](https://github.com/zed-0xff/zsteg) I tried exploring the file a little further and I found out this:
+    ```
+    b1,r,msb,xy         .. text: "SEF:\r$CW"
+    b3,rgba,lsb,xy      .. file: MPEG ADTS, AAC, v4 Main, 88.2 kHz, stereo+center+LFE
+    b4,rgb,lsb,xy       .. file: MPEG ADTS, AAC, v4 Main, 96 kHz
+    ```
 
-Which, I think, means that there is an audio file inside the image.
+    Which, I think, means that there is an audio file inside the image.
-- 
2.43.0