Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Security Challenge VIII

  • 14-05-2012 5:52pm
    #1
    Closed Accounts Posts: 2,267 ✭✭✭


    That time again!

    http://damo.clanteam.com/sch8

    Challenge:

    There was a little bug present. 0.4 is up now, please use this instead:
    http://damo.clanteam.com/sch8/GovernmentFileStore.zip

    Requires Java Runtime Environment 6+
    You can execute a number of ways, you can execute depending on whether you have java on your path or JAVA_HOME setup or not: (JRE6 for Win does this automatically).
    # java -jar GovernmentFileStore.jar
        # *nix/mac: $JAVA_HOME/bin/java -jar GovernmentFileStore.jar
        # Win: %JAVA_HOME%\bin\java -jar GovernmentFileStore.jar
        # <path to jre>/bin/java -jar GovernmentFileStore.jar
    

    Or more easily Windows users and some other *nix desktops may be able to just double click the jar to execute, or right-click and open with Java.

    Behind a proxy? then execute as:
    # java -Dhttp.proxyHost=<host> -Dhttp.proxyPort=<port> -jar GovernmentFileStore.jar
        e.g.: java -Dhttp.proxyHost=www.proxy.com -Dhttp.proxyPort=8080 -jar GovernmentFileStore.jar
    

    Aim:

    Find weaknesses and flaws in the application above.
    Find a way to enter your name on the hall of fame based on these weaknesses and flaws.
    This challenge has a few different areas for you hack before you can get onto the hall of fame.

    Rules:

    Try not leave traces of your actions that may give away hints to others.
    Do not hammer the web-server, there is no need to run port/vulnerability scanners or web brute forcers against the server. It's not needed and won't help for this challenge.
    Any abusing the challenge will result in it been took offline.


Comments

  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    It IS OK to execute remote code on the server, i.e. use application flaws to pop a reverse shell or similar? I am just waiting to clarify that, as I think I have this one cracked open but don't want to piss anyone off by pwning boxes and all...

    Fun challenge BTW, enjoying this one! :D

    Hmmmm, more to this than meets the eye for sure! Extra challenging...


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    infodox wrote: »
    It IS OK to execute remote code on the server, i.e. use application flaws to pop a reverse shell or similar? I am just waiting to clarify that, as I think I have this one cracked open but don't want to piss anyone off by pwning boxes and all...

    Fun challenge BTW, enjoying this one! :D

    Well its free public hosting so don't do anything too dodgy :-)
    Its not really the aim of this one, but if there is something I accidentally left open, might as well see if you can use it. Just don't get the account closed hehe.


  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    Seems I may have jumped the gun a tad early thinking I could get some PHP up, but that just makes things more entertaining :D Got files uploading for a start, and poking about to see what happens next... Very nice uploader!


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    infodox wrote: »
    Seems I may have jumped the gun a tad early thinking I could get some PHP up, but that just makes things more entertaining :D Got files uploading for a start, and poking about to see what happens next... Very nice uploader!



    Yeah I only do them type of challenges when I host them on a VM on my laptop here. Bit dangerous on public hosting server.

    Yeah there is a couple of things to do in this one, but I think it should be fun.

    Next part can be done 2 ways. One way tricky, the other way easier.


  • Closed Accounts Posts: 2,663 ✭✭✭Cork24


    Ok so far i have


    Apacheand

    PHP/5.2.17

    i have a feeling that the Apache server is running on Apache 2 which should allow you to SQL inject. will post back, will have nothing to do with the java program till i get the User table in the Apache


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Cork24 wrote: »
    Ok so far i have


    Apacheand

    PHP/5.2.17

    i have a feeling that the Apache server is running on Apache 2 which should allow you to SQL inject. will post back, will have nothing to do with the java program till i get the User table in the Apache


    No SQL in this one dude. Also remember this isn't my server, so don't run scans against it.


  • Registered Users, Registered Users 2 Posts: 882 ✭✭✭moneymad


    Looks interesting. I'm going to start this one tomorrow morning.
    Thanks damo


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Remember, you can still access some of the older ones at http://damo.clanteam.com


  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    Damo - did you change the .jar hosted? I think the version number changed and have been getting some illogical responses from the server with data extracted from the original .jar. Wonder what changed...


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    infodox wrote: »
    Damo - did you change the .jar hosted? I think the version number changed and have been getting some illogical responses from the server with data extracted from the original .jar. Wonder what changed...



    I fixed some little bugs that annoyed me. Nothing too bad. Last jar was uploaded yesterday sometime, so just download that and apply the same stuff you did with the old one and you'll be good.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 882 ✭✭✭moneymad


    moneymad wrote: »
    Looks interesting. I'm going to start this one tomorrow morning.
    Thanks damo

    Just sat down to do this tonight.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Do people need me to start dropping hints?

    2 people finished this so far. One of them is a boards user. No idea who the other lad is.


  • Registered Users, Registered Users 2 Posts: 882 ✭✭✭moneymad


    Do people need me to start dropping hints?

    2 people finished this so far. One of them is a boards user. No idea who the other lad is.
    It took me about 10 minutes and then
    I got as far as the last bit and found i had to have a pass for the zip.
    I don't enjoy encryption and couldn't be arsed going further.
    Other than that it was fun.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    moneymad wrote: »
    It took me about 10 minutes and then
    I got as far as the last bit and found i had to have a pass for the zip.
    I don't enjoy encryption and couldn't be arsed going further.
    Other than that it was fun.


    You don't have to do any decrypting yourself. If you figure out what's happening, you'll see...


  • Registered Users, Registered Users 2 Posts: 8 endz


    I enjoyed this one thank you


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    endz wrote: »
    I enjoyed this one thank you

    Sweet, Congrats.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q




  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Im using jad, but keep getting the error:

    Parsing GovernmentFileStore.jar...JavaClassFileParseException: Not a class file (incorrect magic)


    Im guessing thats not intended?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    syklops wrote: »
    Im using jad, but keep getting the error:

    Parsing GovernmentFileStore.jar...JavaClassFileParseException: Not a class file (incorrect magic)


    Im guessing thats not intended?
    jad is probably outdated, use this one instead: http://java.decompiler.free.fr/?q=jdgui
    Works for me


  • Registered Users, Registered Users 2 Posts: 882 ✭✭✭moneymad


    had another bash of of it today. i was using these tools since the start.
    I don't know java but i was able to spot it.
    :)

    cool challenge. thanks damo


  • Advertisement
  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Ok, so I
    decompiled the app, found the username and password, logged in, and can upload files.

    Can I have a tip?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    syklops wrote: »
    Ok, so I
    decompiled the app, found the username and password, logged in, and can upload files.

    Can I have a tip?

    Sure:
    Try figure out where the files are going...

    Two ways to do this:

    hard way: Figure out what is going on in Config.class
    easy way: monitor the traffic using something like wireshark


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Ok, sorry, dont mean to be spoonfed the answer.

    I have
    used wireshark and got the basic auth hash, then decoded the base64 and got the username and password, and was able to enter the directory. I downloaded the file memo_to_hof_admin.txt_1337017286000.zip, tried to unzip with the password I used to access that part of the site, and it says the password is incorrect. Then I looked at the config.class, but it looks like it should be the same password

    What am I doing wrong?

    Thanks.

    Great challenge btw.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    syklops wrote: »
    Ok, sorry, dont mean to be spoonfed the answer.

    I have
    used wireshark and got the basic auth hash, then decoded the base64 and got the username and password, and was able to enter the directory. I downloaded the file memo_to_hof_admin.txt_1337017286000.zip, tried to unzip with the password I used to access that part of the site, and it says the password is incorrect. Then I looked at the config.class, but it looks like it should be the same password

    What am I doing wrong?

    Thanks.

    Great challenge btw.
    No, config.class only obtains the url and authentication data where to upload the file to. you will have to look at the java program again to see what password it is setting on the zip files. Its separate from the url pass to upload.


  • Closed Accounts Posts: 7,145 ✭✭✭DonkeyStyle \o/


    you will have to look at the java program again to see what password it is setting on the zip files.
    /me closes JTR
    :eek: :pac:


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    /me closes JTR
    :eek: :pac:

    I see you got it.. nice one.

    i think people are looking too much into it and making it more difficult than it is.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Solution:

    Use JD-GUI to decrypt the .jar

    take a look at LoginPanel:
    private static final String username = "upload_user";
      private static final String password = "govpass34";
    

    Thats your login!

    Next find out where files are getting uploaded to. Two ways to do this.

    1. Look at Config. You can xor uploadurl, username, password, against cipher. E.g. xor first byte of username against first byte of cipher, and so on for second, third, fourth...

    2. A much easier way is do run wireshark when you upload a file. This way you see where files are been uploaded to. You can also snag the credentials of that area.

    Take a look around to see if you find anything interesting.

    Now you need to get a password for a certain archive after the steps above.
    Look at SubmitFile
    String password = getSHA1Hash(inputfile.getName());
          parameters.setPassword(password);
    

    SO the password been set on an archive containing your file is just the SHA1 hash of your original file. E.g. an archive of readme.txt_3134242343.zip would have a password of "readme.txt" SHA1 hash: 451685e9efac4a6dc1fee73ec53ffb6b2c4c38b5 (hint, you can see ni the method byteArray2Hex, called by getSHA1Hash at the bottom, it returns the hash in lowercase.

    Open that special archive you found and continue.


Advertisement