{"id":5883,"date":"2019-02-20T20:33:11","date_gmt":"2019-02-20T19:33:11","guid":{"rendered":"https:\/\/2019.prague.wordcamp.org\/?p=5883"},"modified":"2019-02-27T14:04:14","modified_gmt":"2019-02-27T13:04:14","slug":"capture-the-flag-reseni-flagu-9","status":"publish","type":"post","link":"https:\/\/prague.wordcamp.org\/2019\/capture-the-flag-reseni-flagu-9\/","title":{"rendered":"Capture the Flag &#8211; \u0159e\u0161en\u00ed flagu 9"},"content":{"rendered":"<p>Jako t\u0159e\u0161ni\u010dku na dortu jsme si nechali \u0159e\u0161en\u00ed posledn\u00ed flagu, kter\u00fd odolal statis\u00edc\u016fm pokus\u016f o jeho rozlu\u0161t\u011bn\u00ed.<\/p>\n<div class=\"jetpack-video-wrapper\"><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"660\" height=\"372\" src=\"https:\/\/www.youtube.com\/embed\/tMbGwzYZqso?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=cs-CZ&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span><\/div>\n<p><a class=\"btn-pozvanka\" href=\"\/capture-the-flag-reseni-flagu-7-8\/\"><span style=\"color: #fff\">&lt; flagy 7 &#8211; 8<\/span><\/a><\/p>\n<h3><strong>Flag 9<\/strong>: &#8222;Z\u00e1kaz vstupu se zv\u00ed\u0159aty&#8220;<\/h3>\n<p>Um\u00edst\u011bn\u00ed flagu bylo jasn\u00e9 pom\u011brn\u011b brzo. P\u0159i objeven\u00ed souboru phpinfo.php jsme se dozv\u011bd\u011bli i o existenci zvl\u00e1\u0161tn\u00ed slo\u017eky secret-flag9-dir.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-5885 size-full\" src=\"https:\/\/i0.wp.com\/2019.prague.wordcamp.org\/files\/2019\/02\/ctf-secret.png?resize=623%2C52&#038;ssl=1\" alt=\"\" width=\"623\" height=\"52\" srcset=\"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-secret.png?w=623&amp;ssl=1 623w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-secret.png?resize=300%2C25&amp;ssl=1 300w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-secret.png?resize=500%2C42&amp;ssl=1 500w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><\/p>\n<p>P\u0159ed samotnou cestou k flagu jsme se vydali n\u011bkolika slep\u00fdmi uli\u010dkami.<\/p>\n<p>WP-Scan uk\u00e1zal, \u017ee je na webu <a href=\"https:\/\/seclists.org\/fulldisclosure\/2018\/Mar\/40\">plugin se zranitelnost\u00ed typu Local File Inclusion<\/a>. Z jeho k\u00f3du v\u0161ak bylo patrn\u00e9, \u017ee se n\u00e1m p\u0159\u00edli\u0161 nehod\u00ed &#8211; soubory na\u010d\u00edt\u00e1 pomoc\u00ed require_once a PHP soubory vykon\u00e1 a nezobraz\u00ed. Pro z\u00edsk\u00e1n\u00ed jin\u00fdch citliv\u00fdch informac\u00ed by se v\u0161ak velmi hodil.<\/p>\n<p>P\u0159i skenov\u00e1n\u00ed port\u016f se uk\u00e1zalo, \u017ee je otev\u0159en\u00fd port 22 &#8211; SSH. P\u0159i pokusu, zda n\u00e1hodou spr\u00e1vce serveru nepou\u017eil n\u011bjak\u00e9 primitivn\u00ed heslo, vy\u0161lo najevo, \u017ee heslo lze velmi jednodu\u0161e odhadnout a administr\u00e1torsk\u00fd p\u0159\u00edstup byl n\u00e1\u0161. Alespo\u0148 zd\u00e1nliv\u011b. Brzy se uk\u00e1zalo, \u017ee SSH nen\u00ed opravdov\u00e9 SSH, ale pouze jeho <a href=\"https:\/\/github.com\/cowrie\/cowrie\">simulace<\/a>. Tudy cesta tak\u00e9 nevedla.<\/p>\n<p>Dal\u0161\u00edm dobr\u00fdm n\u00e1padem bylo vyu\u017eit\u00ed nalezen\u00e9ho Admineru. Bylo mo\u017en\u00e9 se p\u0159ipojit k extern\u00edmu datab\u00e1zov\u00e9mu serveru s opr\u00e1vn\u011bn\u00edm pro pr\u00e1ci se soubory a d\u00edky tomu \u010d\u00edst libovoln\u00e9 soubory z klienta:<\/p>\n<p><code>LOAD DATA LOCAL INFILE \"\/home\/flag5a6557\/htdocs\/www\/flag.php\" INTO TABLE test.a<\/code><\/p>\n<p>Bohu\u017eel zat\u00edm nezn\u00e1me jm\u00e9no souboru, kter\u00fd se sna\u017e\u00edme z\u00edskat. Pokud tedy nechceme slep\u011b zkou\u0161et, nen\u00ed to pro n\u00e1s vhodn\u00e1 cesta.<\/p>\n<p>Pokusy o p\u0159ihl\u00e1\u0161en\u00ed do administrace p\u0159es login formul\u00e1\u0159 byly tak\u00e9 lich\u00e9, ze zdrojov\u00e9ho k\u00f3du str\u00e1nky \u0161lo zjistit, \u017ee formul\u00e1\u0159 nen\u00ed prav\u00fd. A i kdyby prav\u00fd byl, tak WP samotn\u00fd byl upraven tak, aby byl jen read-only a p\u0159ihl\u00e1\u0161en\u00ed by tak mo\u017en\u00e9 nebylo.<\/p>\n<p>P\u0159es administraci v\u0161ak jedna z cest vedla. Z p\u0159edchoz\u00edch flag\u016f jsme toti\u017e z\u00edskali dostatek informac\u00ed, abychom byli schopni vygenerovat p\u0159ihla\u0161ovac\u00ed cookies.<\/p>\n<ul>\n<li><strong>Hash hesla<\/strong> z datab\u00e1ze<\/li>\n<li><strong>Krypto kl\u00ed\u010de<\/strong> z wp-config.php<\/li>\n<li><strong>Session_token<\/strong> z u\u017eivatelsk\u00fdch metadat v datab\u00e1zi<\/li>\n<\/ul>\n<p>Za norm\u00e1ln\u00edch okolnost\u00ed by pot\u0159ebn\u00fd session token byl k ni\u010demu, proto\u017ee se jedn\u00e1 o sha256 hash z v\u00edce ne\u017e 40 znakov\u00e9ho n\u00e1hodn\u00e9ho \u0159et\u011bzce, kter\u00fd v cookie mus\u00ed b\u00fdt v origin\u00e1ln\u00ed podob\u011b. U n\u00e1s se v\u0161ak jednalo pouze o hash slova wordpress a tak ho bylo mo\u017en\u00e9 jednodu\u0161e zneu\u017e\u00edt.<\/p>\n<p>Sta\u010dilo p\u0159ipravit dal\u0161\u00ed WP web, kter\u00e9mu se p\u0159edhodily z\u00edskan\u00e9 krypto kl\u00ed\u010de a zalo\u017eil u\u017eivatel se stejn\u00fdm hashem hesla (je jedno, \u017ee heslo nezn\u00e1me) a nechat si vygenerovat p\u0159ihla\u0161ovac\u00ed cookies, kter\u00e9 n\u00e1sledn\u011b sta\u010dilo vlo\u017eit do prohl\u00ed\u017ee\u010de pod spr\u00e1vn\u00fdm n\u00e1zvem obsahuj\u00edc\u00edm md5 hash adresy webu:<\/p>\n<p><code>wp_generate_auth_cookie(1,1560620800,'logged_in', 'wordpress')<br \/>\nwp_generate_auth_cookie(1,1560620800,'secure_auth', 'wordpress')<br \/>\n<\/code><\/p>\n<p>D\u00edky tomu jsme se dostali do administrace, ta sice byla jen pro \u010dten\u00ed, to v\u0161ak nezabr\u00e1nilo nahr\u00e1n\u00ed vlastn\u00edho pluginu i kdy\u017e ne\u0161el aktivovat. Takto jsme na web propa\u0161ovali <strong>ciz\u00ed k\u00f3d<\/strong> v podob\u011b <a href=\"https:\/\/github.com\/lynt-smitka\/PHP-Mini-File-Browser\/\">prohl\u00ed\u017ee\u010de soubor\u016f<\/a>.<\/p>\n<p>Touto pom\u011brn\u011b komplikovanou cestou jsme byli schopni z\u00edskat <strong>p\u0159\u00edstup k posledn\u00edmu flagu<\/strong>.<\/p>\n<p>Byla zde v\u0161ak i <strong>mnohem jednodu\u0161\u0161\u00ed cesta<\/strong>. Mohli jsme si v\u0161imnout, \u017ee je na webu nahr\u00e1n Adminer ve star\u0161\u00ed verzi 4.2.3, kter\u00e1 nav\u00edc podporuje mnoho dal\u0161\u00edch datab\u00e1zov\u00fdch syst\u00e9m\u016f &#8211; v\u010detn\u011b <strong>SQLite<\/strong>.<\/p>\n<p>SQLite m\u00e1 nep\u0159\u00edjemnou vlastnost, \u017ee p\u0159i p\u0159\u00edstupu k neexistuj\u00edc\u00ed datab\u00e1zi ji na disku vytvo\u0159\u00ed. Vytvo\u0159it lze pouze soubory s koncovkou .db (a n\u011bkolika dal\u0161\u00edmi). To n\u00e1s ale p\u0159\u00edli\u0161 nezbrzdilo. Pomoc\u00ed p\u0159\u00edkazu\u00a0<code>ATTACH DATABASE<\/code>\u00a0jsme jednodu\u0161e vytvo\u0159ili novou pr\u00e1zdnou datab\u00e1zi s koncovkou .php. Pak u\u017e sta\u010dilo jen vytvo\u0159it novou tabulku a naplnit ji PHP k\u00f3dem. I p\u0159es trochu bin\u00e1rn\u00edch dat na za\u010d\u00e1tku souboru se n\u00e1\u0161 k\u00f3d bez probl\u00e9m\u016f pustil a mohli jsme tak jednodu\u0161e z\u00edskat posledn\u00ed flag! Sta\u010dilo u\u017e jen ur\u010dit v\u00fdsledek logick\u00e9 podm\u00ednky:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5892\" src=\"https:\/\/i0.wp.com\/2019.prague.wordcamp.org\/files\/2019\/02\/ctf-flag9.png?resize=660%2C177&#038;ssl=1\" alt=\"\" width=\"660\" height=\"177\" srcset=\"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-flag9.png?w=791&amp;ssl=1 791w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-flag9.png?resize=300%2C80&amp;ssl=1 300w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-flag9.png?resize=768%2C206&amp;ssl=1 768w, https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/02\/ctf-flag9.png?resize=500%2C134&amp;ssl=1 500w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p>I p\u0159es to, \u017ee jsou existuj\u00edc\u00ed soubory na serveru pouze pro \u010dten\u00ed, \u0161lo t\u00edmto zp\u016fsobem modifikovat vzhled webu. Sta\u010dilo nap\u0159\u00edklad vytvo\u0159it soubor home.php ve slo\u017ece \u0161ablony a d\u00edky <a href=\"https:\/\/wphierarchy.com\/\">hierarchii \u0161ablony<\/a> byl pak m\u00edsto samotn\u00e9ho webu zobrazen on.<\/p>\n<p>Objeven\u00edm posledn\u00edho flagu na\u0161e CTF sout\u011b\u017e kon\u010d\u00ed. Douf\u00e1me, \u017ee v\u00e1s bavila, \u017ee\u00a0 jste se t\u0159eba i n\u011bco zaj\u00edmav\u00e9ho nau\u010dili a \u017ee se uvid\u00edme na WordCampu.<\/p>\n<p>&nbsp;<\/p>\n<p><a class=\"btn-pozvanka\" href=\"\/vstupenky\/\"><span style=\"color: #fff\">Kupte si vstupenku a p\u0159ij\u010fte na WordCamp<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Jako t\u0159e\u0161ni\u010dku na dortu jsme si nechali \u0159e\u0161en\u00ed posledn\u00ed flagu, kter\u00fd odolal statis\u00edc\u016fm pokus\u016f o jeho rozlu\u0161t\u011bn\u00ed. &lt; flagy 7 &#8211; 8 Flag 9: &#8222;Z\u00e1kaz vstupu se zv\u00ed\u0159aty&#8220; Um\u00edst\u011bn\u00ed flagu bylo jasn\u00e9 pom\u011brn\u011b brzo. P\u0159i objeven\u00ed souboru phpinfo.php jsme se dozv\u011bd\u011bli i o existenci zvl\u00e1\u0161tn\u00ed slo\u017eky secret-flag9-dir. P\u0159ed samotnou cestou k flagu jsme se vydali &hellip; <a href=\"https:\/\/prague.wordcamp.org\/2019\/capture-the-flag-reseni-flagu-9\/\" class=\"more-link\">Pokra\u010dov\u00e1n\u00ed textu <span class=\"screen-reader-text\">Capture the Flag &#8211; \u0159e\u0161en\u00ed flagu 9<\/span><\/a><\/p>\n","protected":false},"author":5814035,"featured_media":5583,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"video","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1230900],"tags":[],"class_list":["post-5883","post","type-post","status-publish","format-video","has-post-thumbnail","hentry","category-nezarazene","post_format-post-format-video"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/prague.wordcamp.org\/2019\/files\/2019\/01\/ctf-img.jpg?fit=600%2C335&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pab3ys-1wT","_links":{"self":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/users\/5814035"}],"replies":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/comments?post=5883"}],"version-history":[{"count":7,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5883\/revisions"}],"predecessor-version":[{"id":7518,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/posts\/5883\/revisions\/7518"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/media\/5583"}],"wp:attachment":[{"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/media?parent=5883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/categories?post=5883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2019\/wp-json\/wp\/v2\/tags?post=5883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}