Oct 31, 2020
Cyber Security Rumble — Germany — CTF Challenge
Challenge : Cyberwall
Task : We had problems with hackers, but now we got a enterprise firewall system build by a leading security company.
Author: rugo|RedRocket
The challenge is to break into the application’s Cyberwall aka login firewall.
Seems like this page requires only a password to login (Note: No username is required to login) from this we can assume that there is no database available in the backend to process the data, so the password must be hard-coded in the source file/other file in the current working directory itself. Now let’s take a look at the login page source code,
Here, we can find a Java-Script code where it checks the password in the source file.
<script type="text/javascript">
function checkPw() {
var pass = document.getElementsByName('passwd')[0].value;
if (pass != "rootpw1337") {
alert("This Password is invalid!");
return false;
}
window.location.replace("management.html");
}
</script>The Function checkPw() checks whether the input pass word is not equal to “rootpw1337", then it throws an error. So by analyzing this piece of code we just found the password.
By using “rootpw1337” as password we can login to the website’s management.html page.
It took me roughly 3 to 4 mins to bypass the login page. Now I’m struck in the management.html page wondering where the heck is my flag. I started to analyze it’s source code but i couldn’t find any lead. Suddenly, something in the side menu panel got my attention “Debugging”. I clicked on the Debugging button on the side panel and it took me to the debug page where i found that an input field was using ping function,
The ping function is used to ping a host. So i just tried to ping my all time favorite google.com ,
Okay, now it just pinged google.com as we would normally do it in a terminal.
So i just tried to execute multiple commands in the input field like, “google.com; ls” ,
We just verified that it could execute multiple commands by taking a single input. By analyzing the output i just found that it just spitted out the files in the current directory,
requirements.txt
static
super_secret_data.txt
templates
webapp.py
wsgi.pyHere we can see that there is a juicy file called “super_secret_data.txt”. Now we just have to use “cat” command to make the file to spit it’s content out.
Now we just have to feed the input as, “;cat super_secret_data.txt” or “google.com; cat super_secret_data.txt” to make the system to spit out the file contents,
Now the system just spitted out the secret flag hidden inside the file.
PING google.com (66.102.1.113) 56(84) bytes of data.
64 bytes from wb-in-f113.1e100.net (66.102.1.113): icmp_seq=1 ttl=114 time=1.01 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.008/1.008/1.008/0.000 ms
CSR{oh_damnit_should_have_banned_curl_https://news.ycombinator.com/item?id=19507225}The hidden flag is,
CSR{oh_damnit_should_have_banned_curl_https://news.ycombinator.com/item?id=19507225}Thanks for reading my blog on “Cyber Security Rumble Germany — CTF Challenge”. See you again later on another interesting blog, Bye.
Challenge Scoreboard :
My User Name : H1v3
My Position : 368 out of 912
