{"id":5861,"date":"2019-02-18T20:41:47","date_gmt":"2019-02-18T19:41:47","guid":{"rendered":"https:\/\/2019.prague.wordcamp.org\/?p=5861"},"modified":"2019-02-27T14:02:56","modified_gmt":"2019-02-27T13:02:56","slug":"capture-the-flag-reseni-flagu-4-6","status":"publish","type":"post","link":"https:\/\/prague.wordcamp.org\/2019\/capture-the-flag-reseni-flagu-4-6\/","title":{"rendered":"Capture the Flag &#8211; \u0159e\u0161en\u00ed flag\u016f 4 &#8211; 6"},"content":{"rendered":"<p>P\u0159in\u00e1\u0161\u00edme uk\u00e1zku \u0159e\u0161en\u00ed dal\u0161\u00edch 3 flag\u016f z na\u0161\u00ed CTF sout\u011b\u017ee.<\/p>\n<div class=\"jetpack-video-wrapper\"><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"660\" height=\"372\" src=\"https:\/\/www.youtube.com\/embed\/vsvT8RCJmJk?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=cs-CZ&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span><\/div>\n<p><a class=\"btn-pozvanka\" href=\"\/capture-the-flag-reseni-flagu-0-3\/\"><span style=\"color: #fff\">&lt; flagy 0 &#8211; 3<\/span><\/a>  <a class=\"btn-pozvanka\" href=\"\/capture-the-flag-reseni-flagu-7-8\/\"><span style=\"color: #fff\">&gt; flagy 7 &#8211; 8<\/span><\/a><\/p>\n<h3><strong>Flag 4<\/strong>: \u201eChybovat je lidsk\u00e9\u201c<\/h3>\n<p>P\u0159i bezpe\u010dnostn\u00edch testech je b\u011b\u017en\u00e9, \u017ee se sna\u017e\u00edme aplikaci donutit ud\u011blat n\u011bjakou chybu, aby n\u00e1m prozradila n\u011bjak\u00e9 informace, nebo provedla n\u011bco ne\u010dekan\u00e9ho.<\/p>\n<p>U webov\u00fdch aplikac\u00ed je \u010dast\u00fdm proh\u0159e\u0161kem zobrazov\u00e1n\u00ed chybov\u00fdch hl\u00e1\u0161ek s informacemi, kter\u00e9 by m\u011bl zn\u00e1t jen administr\u00e1tor.<\/p>\n<p>Nejjednodu\u0161\u0161\u00ed cestou jak toto ov\u011b\u0159it je nav\u0161t\u00edven\u00ed adresy\u00a0\/wp-includes\/rss-functions.php, \u010d\u00edm\u017e vyvol\u00e1me <strong>chybu 500<\/strong>. Podobn\u011b funguje i vol\u00e1n\u00ed p\u0159\u00edmo \u0161ablony (nap\u0159. \/wp-content\/themes\/twentynineteen\/index.php), nebo r\u016fzn\u00fdch soubor\u016f z administrace (\/wp-admin\/admin-header.php). Jako odm\u011bnu za vyvol\u00e1n\u00ed chyby 500 z\u00edsk\u00e1me prvn\u00ed flag. Pro zobrazen\u00ed vlastn\u00ed chyby jsme si museli pohr\u00e1t s PHP funkci <a href=\"http:\/\/php.net\/manual\/en\/function.register-shutdown-function.php\">register-shutdown-function<\/a>.<\/p>\n<p>Dal\u0161\u00ed b\u011b\u017enou chybou je <strong>404 &#8211; nenalezeno<\/strong>. WP n\u00e1m v tomto p\u0159\u00edpad\u011b vrac\u00ed pom\u011brn\u011b pou\u017eitelnou str\u00e1nku, co\u017e je \u010dast\u00fdm probl\u00e9mem u jednodu\u0161\u0161\u00edch syst\u00e9m\u016f. Ta je typicky renderov\u00e1na ze souboru 404.php v \u0161ablon\u011b. P\u0159i infekci webu se tento soubor \u010dasto zneu\u017e\u00edv\u00e1 jako odlo\u017een\u00fd spou\u0161t\u011b\u010d infekce &#8211; spu\u0161t\u011bn\u00ed \u0161kodliv\u00e9ho k\u00f3du se odlo\u017e\u00ed do vyvol\u00e1n\u00ed chyby 404 n\u00e1v\u0161t\u011bvn\u00edkem, nebo p\u0159\u00edmo \u00fato\u010dn\u00edkem. Na na\u0161em webu je v n\u011bm v\u0161ak ukryt pouze dal\u0161\u00ed flag.<\/p>\n<p>Pokud se pokus\u00edme prov\u00e9st n\u011bjakou nepovolenou akci, tak n\u00e1m WordPress zobraz\u00ed chybovou hl\u00e1\u0161ku pomoc\u00ed funkce <a href=\"https:\/\/codex.wordpress.org\/Function_Reference\/wp_die\">wp_die()<\/a> a po\u0161le stavov\u00fd <strong>k\u00f3d 403<\/strong>. Tuto chybu mimo administraci m\u016f\u017eeme z\u00edskat nap\u0159\u00edklad p\u0159\u00edm\u00fdm p\u0159\u00edstupem k souboru wp-mail.php. Pro \u00fapravu t\u00e9to chybov\u00e9 hl\u00e1\u0161ky jsme pou\u017eili <a href=\"https:\/\/developer.wordpress.org\/reference\/hooks\/wp_die_handler\/\">wp_die_handler<\/a>\u00a0a nechali ji prozradit dal\u0161\u00ed flag.<\/p>\n<p>Pou\u010den\u00ed: v\u00fdpisy chyb na produk\u010dn\u00edm serveru nemaj\u00ed co d\u011blat.<\/p>\n<h3><strong>Flag 5<\/strong>: \u201eZn\u00e1me sv\u00e9 lidi\u201c<\/h3>\n<p>Chyba 500 z minul\u00e9 sady flag\u016f n\u00e1m prozradila i <strong>um\u00edst\u011bn\u00ed aplikace na serveru<\/strong>. Z toho bylo mo\u017en\u00e9 z\u00edskat jm\u00e9no u\u017eivatele, pod kter\u00fdm na serveru aplikace b\u011b\u017e\u00ed. Nen\u00ed n\u00e1hoda, \u017ee jeho jm\u00e9no je prvn\u00edm flagem tohoto kl\u00ed\u010de. Za norm\u00e1ln\u00edch okolnost\u00ed by bylo mo\u017en\u00e9 tuto informaci z\u00edskat i z informac\u00ed v zapomenut\u00e9m phpinfo.php z p\u0159edchoz\u00edch \u00fakolech. Tam jsme v\u0161ak cestu naschv\u00e1l zcenzurovali \ud83d\ude42<\/p>\n<p>Zaj\u00edmav\u00e9 informace o u\u017eivatel\u00edch m\u016f\u017eeme z\u00edskat i na jin\u00fdch m\u00edstech. Pokud n\u00e1s zaj\u00edmaj\u00ed p\u0159\u00edmo u\u017eivatel\u00e9 WordPressu, m\u016f\u017eeme je zkusit vy\u010d\u00edtat pomoc\u00ed parametru <strong>?author=<\/strong>X. Nebo je m\u016f\u017eeme z\u00edskat modern\u011bji &#8211; pou\u017eit\u00edm <strong>REST API<\/strong> a endpointu \/wp-json\/wp\/v2\/users. Na\u0161em webu tak nalezneme velmi zaj\u00edmav\u00e9ho u\u017eivatele s id = 5. Pokud tedy nav\u0161t\u00edv\u00edme adresu \/?author=5, adresa se magicky zm\u011bn\u00ed a prozrad\u00ed n\u00e1m login na\u0161eho u\u017eivatele, co\u017e je z\u00e1rove\u0148 dal\u0161\u00ed flag.<\/p>\n<p>Dal\u0161\u00edm typem u\u017eivatel\u016f jsou komentuj\u00edc\u00ed n\u00e1v\u0161t\u011bvn\u00edci. V z\u00e1kladn\u00edm nastaven\u00ed sb\u00edr\u00e1 WordPress jejich e-maily, ze kter\u00fdch n\u00e1sledn\u011b generuje adresu pro gravatary. To je pom\u011brn\u011b ne\u0161\u0165astn\u00e9, proto\u017ee slu\u017eba <strong>gravatar pou\u017e\u00edv\u00e1 k hashov\u00e1n\u00ed e-mailu md5<\/strong> a tak nen\u00ed p\u0159\u00edli\u0161 slo\u017eit\u00e9 e-maily reverzovat zp\u011bt.<\/p>\n<p>Stejn\u011b, jako na mnoha dal\u0161\u00edch webech, jsme nesmazali testovac\u00ed p\u0159\u00edsp\u011bvek s id = 1 &#8211; sta\u010d\u00ed nav\u0161t\u00edvit \/?p=1. Zde \u010d\u00edh\u00e1 drobn\u00e1 zrada. Pokud ve WP vypneme koment\u00e1\u0159e, tak se zm\u011bna aplikuje pouze na nov\u011b p\u0159idan\u00e9 p\u0159\u00edsp\u011bvky &#8211; ty star\u00e9 se \u0159\u00edd\u00ed p\u016fvodn\u00edm nastaven\u00edm a je pot\u0159eba u nich koment\u00e1\u0159e povyp\u00ednat ru\u010dn\u011b a na to se \u010dasto zapom\u00edn\u00e1. Tento prvn\u00ed zapomenut\u00fd p\u0159\u00edsp\u011bvek je proto \u010dasto ter\u010dem r\u016fzn\u00fdch spambot\u016f.<\/p>\n<p>Podivn\u00fd koment\u00e1\u0159 jste tak mohli naj\u00edt i u n\u00e1s:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5863\" src=\"https:\/\/i0.wp.com\/2019.prague.wordcamp.org\/files\/2019\/02\/ctf-koment.png?resize=660%2C144&#038;ssl=1\" alt=\"\" width=\"660\" height=\"144\" srcset=\"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-koment.png?w=748&amp;ssl=1 748w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-koment.png?resize=300%2C65&amp;ssl=1 300w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-koment.png?resize=500%2C109&amp;ssl=1 500w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p>Jm\u00e9no u\u017eivatele prozrazuje, \u017ee hodnota flagu se skr\u00fdv\u00e1 v jeho e-mailu. Sta\u010dilo tedy z\u00edskat adresu obr\u00e1zku jeho gravataru, vz\u00edt si z n\u00ed md5 hash a ten zkusit prolomit. Proto\u017ee to jsou jen 4 \u010d\u00edsla, nebylo to nic t\u011b\u017ek\u00e9ho a flag byl n\u00e1\u0161!<\/p>\n<p>Tyto informace o u\u017eivatel\u00edch b\u011b\u017en\u011b z\u00edsk\u00e1me i z REST API (m\u016f\u017eete si to vyzkou\u0161et na webu <a href=\"http:\/\/wordpressexpose.chrisgherbert.com\/\">WP Expos\u00e9<\/a>). My jsme v\u0161ak aplikovali <a href=\"https:\/\/github.com\/lynt-smitka\/WP-nginx-config\/blob\/master\/extras\/mu-plugins\/lynt-enhancer.php\">filtr<\/a>, kter\u00fd se sna\u017e\u00ed citliv\u00e1 data z REST API odstra\u0148ovat. Pokud nechcete, aby unikaly informace o e-mailech, je lep\u0161\u00ed gravatary zak\u00e1zat, nebo pro n\u011b pou\u017e\u00edt <a href=\"https:\/\/github.com\/lynt-smitka\/lynt-avatar\">jin\u00e9 \u0159e\u0161en\u00ed<\/a>.<\/p>\n<h3><strong>Flag 6<\/strong>: \u201eD\u016fv\u011brn\u00e9 informace\u201c<\/h3>\n<p>V jednom z p\u0159edchoz\u00edch flag\u016f jsme zjistili, \u017ee na webu je otev\u0159en\u00fd git repozit\u00e1\u0159. Zjistili jsme tak\u00e9, \u017ee se zde vyskytuje soubor flag.php, ve kter\u00e9m jsou ur\u010dit\u011b zaj\u00edmav\u00e9 informace. Bohu\u017eel se p\u0159i p\u0159\u00edm\u00e9m p\u0159\u00edstupu vykonal a nic zaj\u00edmav\u00e9ho neprozradil.<\/p>\n<p>Nen\u00ed v\u0161ak nic leh\u010d\u00edho, ne\u017e z git repozit\u00e1\u0159e z\u00edskat zdrojov\u00e9 k\u00f3dy a pod\u00edvat se p\u0159\u00edmo do nich. Pomohli jsme si automatick\u00fdm n\u00e1strojem, kter\u00fd proch\u00e1z\u00ed zn\u00e1m\u00e9 soubory ze struktury repozit\u00e1\u0159e a sna\u017e\u00ed se z nich vyparsovat jednotliv\u00e9 objekty.<\/p>\n<p>Po rekonstrukci repozit\u00e1\u0159e a zdrojov\u00fdch k\u00f3d\u016f se ji\u017e sta\u010dilo jen pod\u00edvat do obsahu flag.php a p\u016flka kl\u00ed\u010de byla na\u0161e.<\/p>\n<p>P\u0159i podrobn\u011bj\u0161\u00edm zkoum\u00e1n\u00ed zm\u011bn v repozit\u00e1\u0159i bylo d\u00e1le mo\u017en\u00e9 z\u00edskat informaci, \u017ee se upravoval soubor search.php v \u0161ablon\u011b (git whatchanged -n 1). A nav\u00edc zm\u011bna nen\u00ed u\u017e od pohledu \u00fapln\u011b bezpe\u010dn\u00e1 &#8211; nen\u00ed zde o\u0161et\u0159en\u00fd u\u017eivatelsk\u00fd vstup, co\u017e s sebou p\u0159in\u00e1\u0161\u00ed mo\u017enost XSS.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5864\" src=\"https:\/\/i0.wp.com\/2019.prague.wordcamp.org\/files\/2019\/02\/ctf-xss.png?resize=660%2C58&#038;ssl=1\" alt=\"\" width=\"660\" height=\"58\" srcset=\"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-xss.png?w=779&amp;ssl=1 779w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-xss.png?resize=300%2C27&amp;ssl=1 300w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-xss.png?resize=768%2C68&amp;ssl=1 768w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-xss.png?resize=500%2C44&amp;ssl=1 500w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p>Pokud jste zkusili tento k\u00f3d zneu\u017e\u00edt a dok\u00e1zat existenci XSS a zavolat si n\u011bjak\u00fd p\u011bkn\u00fd javascriptov\u00fd alert(), web tento pokus detekoval a m\u00edsto toho zobrazil hl\u00e1\u0161ku s odm\u011bnou ve form\u011b flagu :-).<\/p>\n<p>WordPress se s\u00e1m o sob\u011b sna\u017e\u00ed u\u017eivatelsk\u00e9 vstupy dob\u0159e o\u0161et\u0159ovat, nevhodn\u011b pou\u017eit\u00fd vlastn\u00ed k\u00f3d v\u0161ak m\u016f\u017ee jeho principy naru\u0161it.<\/p>\n<p>Pou\u010den\u00ed: nech\u00e1vat p\u0159\u00edstupn\u00fd git repozit\u00e1\u0159 na webu rozhodn\u011b nen\u00ed dobr\u00fd n\u00e1pad.<\/p>\n<p>Z\u00edsk\u00e1n\u00ed t\u011bchto flag\u016f ji\u017e vy\u017eadovalo trochu \u00fasil\u00ed a zkou\u0161en\u00ed. A p\u0159\u00ed\u0161t\u011b se to nezlep\u0161\u00ed.<\/p>\n<p>&nbsp;<\/p>\n<p><a class=\"btn-pozvanka\" href=\"\/vstupenky\/\"><span style=\"color: #fff\">Kupte si vstupenku a p\u0159ij\u010fte na WordCamp<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>P\u0159in\u00e1\u0161\u00edme uk\u00e1zku \u0159e\u0161en\u00ed dal\u0161\u00edch 3 flag\u016f z na\u0161\u00ed CTF sout\u011b\u017ee. &lt; flagy 0 &#8211; 3 &gt; flagy 7 &#8211; 8 Flag 4: \u201eChybovat je lidsk\u00e9\u201c P\u0159i bezpe\u010dnostn\u00edch testech je b\u011b\u017en\u00e9, \u017ee se sna\u017e\u00edme aplikaci donutit ud\u011blat n\u011bjakou chybu, aby n\u00e1m prozradila n\u011bjak\u00e9 informace, nebo provedla n\u011bco ne\u010dekan\u00e9ho. U webov\u00fdch aplikac\u00ed je \u010dast\u00fdm proh\u0159e\u0161kem zobrazov\u00e1n\u00ed chybov\u00fdch &hellip; <a href=\"https:\/\/prague.wordcamp.org\/2019\/capture-the-flag-reseni-flagu-4-6\/\" class=\"more-link\">Pokra\u010dov\u00e1n\u00ed textu <span class=\"screen-reader-text\">Capture the Flag &#8211; \u0159e\u0161en\u00ed flag\u016f 4 &#8211; 6<\/span><\/a><\/p>\n","protected":false},"author":5814035,"featured_media":5583,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"video","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1230900],"tags":[],"class_list":["post-5861","post","type-post","status-publish","format-video","has-post-thumbnail","hentry","category-nezarazene","post_format-post-format-video"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/01\/ctf-img.jpg?fit=600%2C335&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pab3ys-1wx","_links":{"self":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/users\/5814035"}],"replies":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/comments?post=5861"}],"version-history":[{"count":4,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5861\/revisions"}],"predecessor-version":[{"id":7515,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5861\/revisions\/7515"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/media\/5583"}],"wp:attachment":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/media?parent=5861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/categories?post=5861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/tags?post=5861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}