This is my second time being an author and organizer for UMassCTF. Since this year’s theme was flash/io games, it was a great opportunity for me to incorporate web game elements. So I decided to create a web challenge using WebSockets themed on the “Falling Blocks” game where the player has to dodge the falling blocks and the longer you survive the higher score you’ll get. The vulnerability itself wasn’t hard to find and exploit, but I aimed to make it subtle and more real-life-like.

This is a medium box, but it felt hard to me. It was relatively fun to pwn.

nmap

Starting off with an nmap scan, all the ports open are typical ports for a domain controller.

Initial Recon

Anonymous ldap bind is successful.

Under user r.thompson, there is a field that looks like a base64 encoded password string. Decoding it gives a cleartext password.

However, running netexec shows that user r.thompson is not a member of the Remote Management Users group.

Overview

The initial set up of this challenge was allowing user to view different text files on the website. However, there existed a remote code execution vulnerability in the way that the web application was taking in the file path. Specifically, it used PHP’s assert() function, which would evaluate a string as PHP code.

Approach

When I first opened up the website and clicked on the different text files, I noticed that they were displayed using a url parameter file. I then looked at the source code and found that the PHP file was using $_GET to take in a url parameter.

Overview

This challenge has a parameter pollution vulnerability. In order to solve the challenge, I used Burp Suite to intercept the web request and started from there.

Approach

I first noticed that there is a login and a register page, so I made a new user and logged in as that user.

The message on the web page tells us that it wants us to get the most donations, but it seems like only Jeff Bezos is the only one you can donate to.

Overview

The second part of “Donations” also has a parameter pollution vulnerability, so the approach is to exploit this vulnerability in the request.

Approach

The first step was the same as part 1 of the challenge, where I registered a user and intercepted the request of making donations to “Jeff Bezos”. I tried sending a negative amount, which the response returned an error message.

This was the key to finding the solution - the message told me that “only Amazon can steal your money”. So I had the idea of adding a “from” paramter to indicate the sender as “amazon”. Like part 1 of the challenge, I overrode the destination with an additional “to” directed to a user I created. As the image below shows, I was able to send “currency” from one user to another.

Overview

Overall this was a pretty fun challenge, I enjoyed it a lot. It came off as easy at first, but tricked me in a few places. This challenge can be broken down into two major stages: figure out how to get the same secret key to sign a session cookie and how to get the file flag.txt from the filename url parameter.

Approach

When I first opened up the web page, I got a 403 error. So I inspected the source code provided and found that the server is checking for a key value pair{userid: 0} in the session cookie.

Overview

This was an easy web challenge that involved a XSS(Cross-site scripting) attack. The set up was a web application that allowed users to register an account to log in and post notes. Additionally, there was an admin bot page in which the admin bot would visit the page url we gave it. Looking through the source code, I found that the flag was set as the cookie of the admin bot. So the goal was to craft a XSS attack to steal its cookie.

Overview

The set up of this challenge was a simple calculator that allowed users to perform easy calculations, such as subtraction and multiplication, through the formula url parameter. It had a command injection vulnerability that allowed attackers to inject arbitrary commands on the host system to extract sensitive information.

Approach

There was nothing much interesting in the frontend of the web page, so I turned to the source code and found the vulnerability immediately. The web application was using eval() to take in user input as a string and then executing it through echo. Whenever eval() is used in an application to take in an input it should always set off an alarm. There are numerous articles online explaining the danger of eval(). In this case, even though the author used a seemingly secure way, regular expression, to sanitize the user input before passing it into eval(), there were still ways to bypass the filter. Here is a screenshot of the source code:

Description of challenge: There’s a hidden flag on Jelly’s page, but the creator hasn’t made her page public yet. Can you find a way to access her page and capture the flag?

Overview

From the initial inspection, it seemed that the access to one of the Virtual Youtubers’ page was restricted when clicking on her picture. However, there existed a broken access control vulnerability that allowed direct access to the web page by simply changing the url to an endpoint.

Overview

The setting of this web page was a custom name converter that converted a user input into “AWASCII”. Due to improper user input sanitization, a command injection vulnerability present in the application allowed execution of arbitrary command code.

Approach

When I first opened up the web page, I noticed that there was a place for user input. I examined the source code main.py and found that the flask application was using python’s subprocess module to start the python script awafier.py that took the user input as an argument. After checking the documentation of the python module, it appeared that the library will not implicitly choose to call a system shell unless it’s invoked via shell=True. In this challenge, this was invoked explicitly as shown in the screenshot of the source code.