Monday, 19 December 2011

ClubHack preCON CTF walkthrough

ClubHack 2011, India’s Hacker conference, was held on 3-4 Feb 2011 at Pune, India. They had a pre-conference hacking competition, called as WEBWAR, whose winners can win a free entry to the clubhack event. The winners also qualified to play Treasure Hunt, a physical CTF at clubhack conference.

This post is a walk through for this preCON CTF challenge. After registration for the event, ClubHack provided the link to CTF server. It has a website.

This was a site having download file and login module. At first, it seems we need to login using Login page where there will be more to come. Also with download page, we can download other files which might help us for other attacks or to login into application.

Let’s analyze the login module.

The login page uses MD5 of password string to authenticate.

This login seems to not vulnerable to SQL injection & Auth bypass. Only possible attack will be Brute force which again doesn’t prove anything in CTF. So we need valid credentials to log in.

The other page of interest was download.html.

The download link looks like this:
http://183.82.241.134/ClubHack/download.php?f=1.bin&oa=cf02eabd1afbca475abeb5760f16f0e2f4dfd929

Download page requires 2 parameters: filename & some hash. The hash was identified as SHA1 based on number on characters. After few tests, it was clear that to download any file we need to know filename and SHA1 hash. Filename can be guessed but there was no clue on hash creation for particular file.

Further inspection on download.html reveals execute.php in source as comment. This seems interesting.

When accessed, execute.php shows a form which takes 2 parameters: Command & Filename.

The first thought comes to my mind was Command Injection. When tried with “;ifconfig”, it shows me an error: “Sorry Babu, Test page! Wonly one command is allowed. Try again!”

After several attempts, it was clear that this page not vulnerable to any injection. It seems to work with only one command as said in error message. The I looked for all Linux commands which take filename as parameter. Commands like cat, less, more, tail, etc,etc falls under such category.

None of these seems working. At the end, there were checksum commands left. The command “sha1sum” seems working with valid filename.


Hmm!! Now things are pretty clear. Identify the file to download, generate SHA1 hash of it using execute.php and then use download.php to download it.

Let’s download UserLogin.php as our goal is to get logged in. Following URL used to download it:
http://183.82.241.134/ClubHack/download.php?f=UserLogin.php&oa=36ea1d4979568e6804b61b846ed855fe5d6f626c

Now only thing left was to analyze UserLogin.php, check how it’s authenticating a user and get logged in. But this is CTF and it won’t be that easy.

UserLogin.php was obfuscated. Quick Google search revealed that PHP obfuscator at http://www.fopo.com.ar was used. Now we need to de-obfuscate it. Google search didn’t revealed any online/offline tool for this obfuscation. So only option was left to switch to Manual Mode.

This is how UserLogin.php file looked:

I used local PHP server to obfuscate it. First step was to change eval() to echo() which will give us back the code to analyze further. The output looks like this:

It looks like arbitrary strings used to construct variable and function names. The only way to know it was to echo back the arbitrary string values and replacing it with original strings in code. The input file looks like this:

And output of this is:

The final code after replacing the names looks like this:

Now it’s sort of readable. This code again has one eval() which is doing str_rot13, base64_decode & gzinflate actions on some input string.
Let’s echo it instead of eval.

Now it’s much clear. The PHP code is taking POST parameters which are username & password. Then checking it against the file content. So the file “\x6d\171\x68\141\x73\150\x65\163\x61\162\x65\156\x6f\164\x68\145\x72\145\x2e\164\x78\164” seems to be having credentials. Echo this string to get exact filename.

Now let’s get this file.

Sometimes when you work too much, your brain stops thinking in right direction and you keep trying to the wrong way. I was trying to download this file with download.php which every time says “Invalid file type”. The error keeps me thinking of bypassing content type to get this file. As it’s text file we can access it directly browsing to it.

Wow, now we have credentials. Password is hashed so tampering POST request has helped to login.

Looks like final stage (Final.php). This is a form which looks like email client and used to send a vulnerability report to Security & Management team.

This page has hardcoded email addresses in “sendtomails” hidden parameter and the subject also hardcoded with “Security Updates”.

Both these parameters are validated at server side. Any tampering with these parameters will results in error.

Only Message field is left for user. All the server side attacks like SQL injections, Command/Code injections were not working here. I tried for 2 days at this level. There were no clues available. I felt like lost.

The ClubHack tweeted about 2 flag submissions.

It’s now confirmed that there is a way to get out of this Final.php page. Somehow I couldn’t found it yet. One day before the conference, ClubHack released a hint via twitter.

Now things get clearer. ClubHack was talking about cookies which related to XSS. Cross-site scripting is client side bug and never heard being used in CTF where mostly server side bugs are exploited to get flag.

Finally taking the hint as clue, I proceed with XSS flaw and tried to exploit it.
At first, script & img tags was filtered in Message parameter but rest tags were allowed. Using a href tag with event handler to execute javascript, I was able to access cookies but was not enough to pass the level.


It seems like alerting cookie is not going to help. So next step to include malicious javascript. As script tags was not working, I tried to use bypasses for it. The basic one is to use uppercase-lowercase combination of letters: <ScRiPt>alert(1)</script>



Next is to include malicious javascript. In this case, I included a demo script as:


It worked and gives away flag string and link to submit the flag.

ClubHack has replied one of my tweets after the flag submission.

After 3 days of efforts, it paid well. I enjoyed ClubHack event. Thanks to ClubHack team & NII for creating this CTF.

I hope you enjoyed this post. Any comments, suggestions are welcome.