CSCAMP | Web450 – DarkTasks [WRITE UP]

Before all, I’ve to mentionned that was the most intersting challenge and so far my favorite in web category that I’ve ever done in CTF :). I learn a lot
Congrats to Br1ght-D4rk for this awesome task!
So here we go!
In order to got the flag that was located directly on the server in /home, there are two steps to complete.

Part I: Gaining access to Adminer panel

when we open DarksTasks chall and we see this

Image of Web450_index

Let’s now use curl and see if we get something intersting even in the headers or in the source code.

Image of Web450_curl

Hummm… we can see a comment in the source code, that looks like base64 encoding.
If we decrypt it, we obtain this following message:

Image of Web450_base64

Let’s connect now to this location: Th3-D4rk-T4sks

Image of Web450_loginportal

At this point, it’s obvious that we’ve to bypass the login form.

Once again, I launch my python script and see if it get any success 🙂
I’ve a function loginbruteforcer in my script which tried many sql injection payloads among direct or unband sqli, blind sqli, timed based sqli, xpath, ldap, …

Image of Web450_validpayloads

So i choosed one of the valid payloads and logged into the app to see what it looks like.

Image of Web450_portal1

I noticed that the id of each task are base64 encoded.
So i try manually to fuzz the id to see if the id parameter was not vulnerable to sqli injection.

I used ipyhton for that purpose and send the same payload i used to log into the app.

Image of Web450_ipython

Well, it works! 🙂
Let’s provide the url and the working payload to my script and hence dump the mysql creds.

Image of Web450_mysql

Once I got the dark’s hash password, I googled quickly and found the corresponding hash for E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 is123123

We can now log into the Adminer panel.
NOTA: The to Adminer panel was found by looking at the robots.txt file.
Image of Web450_robots

Image of Web450_admirer1

Image of Web450_admirer2

PART II: RCE, from mysql to RCE via UDF

For this second part of the challenge, the goal is to write into the mysql plugin directory, which is located on a unix server at /usr/lib/mysql/plugin/, thelib_mysqludf_sys shared module.
lib_mysqludf_sys is a User Defined Function library that aims to interact with the operating system via the execution environment in which MySQL runs.
In one words, we will be able to execute system commands using the sql shell.

So I compiled lib_mysqludf_sys. You can have a look at command-execution-with-mysql-udf if you want to do the same.

Then in my ipyhton term

print open('/path/to/lib_mysqludf_sys.so').read().encode('hex')

After that, I executed these sql commands:

select unhex('THE_HEX_ENCODED_VAL_OF_UDF') into dumpfile '/usr/lib/mysql/plugin/saxx.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'saxx.so';

Now that I have my UDF uploaded, i can execute sys commands via the sqli injection.
Here is the final paylaod:

select sys_eval('cat /home/Th3_D@rk_S3cr3t/FL@g_Bala7.txt')

Flag : Th3_Gr3@t_7aMaDa

I hope that you’ve learn some stuffs like me! 😉
Once again, Congrats to Br1ght-D4rk for this incredible task! It was very fun and very instructive!

Enjoyed folks 🙂

Publicités

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s