30
Sep
2012

CSAW 2012 – Web 500

Web 500 is a challenge to break into a website called Derpsoft’s Noderper diagnostics front-end.

Browsing the website for a few minutes with a HTTP intercept proxy (in this case Burp) revealed a number of vulnerabilities:
– When opening a non-existing file the full-path is disclosed: {“errno”:34,”code”:”ENOENT”,”path”:”/opt/noderp/htdocs//abc”}
– The site is vulnerable to directory traversal, for example GET /../../../../etc/passwd can be used to obtain a copy of the UNIX passwd file
– There is a JSON handler which can process requests, that will download a node program (either in javascript or compiled form) and execute it on the server.

That’s quite a lot to work with!
{Read More}

30
Sep
2012

CSAW 2012 – Web 200

A simple web-based challenge, where anyone can create their own account and login. The goal is to login as Administrator, but we don’t know the password 🙁

The source code for the login.php file is provided:

<?php
    $good = true;
    include('mysql.php');
    $key = 'key{...}';
    $auth = false;
    $admin = false;
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        $mysql->real_query('SELECT * FROM `csaw`.`users` 
           WHERE `user` LIKE "' . 
          $mysql->real_escape_string($_POST['user']) . '";');
        if ($mysql->errno != 0) {
            echo('Error.');
        } else {
            $result = $mysql->store_result();
            while ($row = $result->fetch_assoc()) {
                if ( $_POST['pass'] == $row['pass'] ) {
                    $auth = true;
                }
                if ( $row['user'] == 'Administrator' ) {
                    $admin = true;
                }
            }
        }
        if ( $auth && $admin ) {
            echo( $key );
        }
    }
?>

The user parameter is escaped so we can’t easily inject SQL code, however the query uses LIKE which accepts % as a wildcard. If we supply username a% all records beginning with a will be returned. Since administrator begins with a the admin flag will be set. If we also know the password of a single user which starts with a the auth flag will also be set and we’re in.

We solved it by registering an account called abc with password abc and logging in with username a% and password abc.

This yields the flag: key{6e6a5f85aa6880aa3d4bd1f0477b149d}