SSRF/XSPA (Web Application Vulnerability) CTF Write up- Garage4Hackers

June 23, 2015

The last time we organized CTF based on web application vulnerability i.e SSRF / XSPA. For those who are new to SSRF, please go through this slide http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities.

Just for the record next G4H Ranchoddas Webcast on Mobile Application and registration is open.

You can find CTF source code here: https://github.com/sandeepl337/Garage4hackers-March-2015-CTF-SSRF-XSPA .

On the CTF server we are running Internal application on port 80 and external application. The mission of the CTF was finding flag from the PHP file.   The vulnerable external application is used to extract the title of any website.

Following Write up from Hai Au Huynh:

—— START ——

Firstable, put into url parameter “foobar”, we got “Caught exception: _(asfsafindex.php): failed to open stream: No such file or directory”=> the application parse our input as file and reading it.

So, it’s clear that next step we need to read the source code of application, we put into url parameter “index.php” and get the index.php source code.

The code is going to do something like this:
include(‘include/extractTitleLogic.php’);
Get the contents of url parameter input, if it has tittle tag, print out the title, if not print out the contents of input With the include/extractTitleLogic.php disclosure, we try to read the contents of include/extractTitleLogic.php but it contains the title tag, so we cannot read it. But fortunately, the include/index.php does
not, so we can read it out.

In source code of include/index.php, we get “// “The feeling that conversations and any data (whiteboard included)
are encrypted without having to mess around with complicated options and setup is a massive plus. It’s very very easy to use.” –
zorgalicious
// //  You Found key! w00t!! :)
// Decrypt Blowfish following code and send CTF Flag to following email
//   49FE06DB9909C6FC6AE11D44F12CD39F659690A388F660A13709CDFA7F06A0E9343E9058EADB9A4CE9AE4F2BC2585768″

The first quote seems very make sense, so we try to search for it, and it leads to this
http://www.bitwiseim.com/features.php?f=Encryption&Presentation=Mac.
So at this time, it’s very clearly that we can decrypt the Blowfish message at that site, and get the flag: Garage4Hacker Private Key:
0x33331337

—— END ——

 

We Provide Penetration Testing

Leave a Reply

Your email address will not be published. Required fields are marked *

*




We Provide Penetration Testing