Security Challenge VIII

h57xiucj2z946q

That time again!

http://damo.clanteam.com/sch8

Challenge:

There was a little bug present. 0.4 is up now, please use this instead:
http://damo.clanteam.com/sch8/GovernmentFileStore.zip
Requires Java Runtime Environment 6+
You can execute a number of ways, you can execute depending on whether you have java on your path or JAVA_HOME setup or not: (JRE6 for Win does this automatically).

# java -jar GovernmentFileStore.jar
    # *nix/mac: $JAVA_HOME/bin/java -jar GovernmentFileStore.jar
    # Win: %JAVA_HOME%\bin\java -jar GovernmentFileStore.jar
    # <path to jre>/bin/java -jar GovernmentFileStore.jar

Or more easily Windows users and some other *nix desktops may be able to just double click the jar to execute, or right-click and open with Java.

Behind a proxy? then execute as:

# java -Dhttp.proxyHost=<host> -Dhttp.proxyPort=<port> -jar GovernmentFileStore.jar
    e.g.: java -Dhttp.proxyHost=www.proxy.com -Dhttp.proxyPort=8080 -jar GovernmentFileStore.jar

Aim:

Find weaknesses and flaws in the application above.
Find a way to enter your name on the hall of fame based on these weaknesses and flaws.
This challenge has a few different areas for you hack before you can get onto the hall of fame.

Rules:

Try not leave traces of your actions that may give away hints to others.
Do not hammer the web-server, there is no need to run port/vulnerability scanners or web brute forcers against the server. It's not needed and won't help for this challenge.
Any abusing the challenge will result in it been took offline.

infodox

It IS OK to execute remote code on the server, i.e. use application flaws to pop a reverse shell or similar? I am just waiting to clarify that, as I think I have this one cracked open but don't want to piss anyone off by pwning boxes and all...

Fun challenge BTW, enjoying this one!

Hmmmm, more to this than meets the eye for sure! Extra challenging...

h57xiucj2z946q

infodox wrote: »

It IS OK to execute remote code on the server, i.e. use application flaws to pop a reverse shell or similar? I am just waiting to clarify that, as I think I have this one cracked open but don't want to piss anyone off by pwning boxes and all...

Fun challenge BTW, enjoying this one!

Well its free public hosting so don't do anything too dodgy :-)
Its not really the aim of this one, but if there is something I accidentally left open, might as well see if you can use it. Just don't get the account closed hehe.

infodox

Seems I may have jumped the gun a tad early thinking I could get some PHP up, but that just makes things more entertaining Got files uploading for a start, and poking about to see what happens next... Very nice uploader!

h57xiucj2z946q

infodox wrote: »

Seems I may have jumped the gun a tad early thinking I could get some PHP up, but that just makes things more entertaining Got files uploading for a start, and poking about to see what happens next... Very nice uploader!

Yeah I only do them type of challenges when I host them on a VM on my laptop here. Bit dangerous on public hosting server.

Yeah there is a couple of things to do in this one, but I think it should be fun.

Next part can be done 2 ways. One way tricky, the other way easier.

Cork24

Ok so far i have


Apacheand

PHP/5.2.17

i have a feeling that the Apache server is running on Apache 2 which should allow you to SQL inject. will post back, will have nothing to do with the java program till i get the User table in the Apache

h57xiucj2z946q

Cork24 wrote: »

Ok so far i have


Apacheand

PHP/5.2.17

i have a feeling that the Apache server is running on Apache 2 which should allow you to SQL inject. will post back, will have nothing to do with the java program till i get the User table in the Apache

No SQL in this one dude. Also remember this isn't my server, so don't run scans against it.

moneymad

Looks interesting. I'm going to start this one tomorrow morning.
Thanks damo

h57xiucj2z946q

Remember, you can still access some of the older ones at http://damo.clanteam.com

infodox

Damo - did you change the .jar hosted? I think the version number changed and have been getting some illogical responses from the server with data extracted from the original .jar. Wonder what changed...

h57xiucj2z946q

infodox wrote: »

Damo - did you change the .jar hosted? I think the version number changed and have been getting some illogical responses from the server with data extracted from the original .jar. Wonder what changed...

I fixed some little bugs that annoyed me. Nothing too bad. Last jar was uploaded yesterday sometime, so just download that and apply the same stuff you did with the old one and you'll be good.

moneymad

moneymad wrote: »

Looks interesting. I'm going to start this one tomorrow morning.
Thanks damo

Just sat down to do this tonight.

h57xiucj2z946q

Do people need me to start dropping hints?

2 people finished this so far. One of them is a boards user. No idea who the other lad is.

moneymad

Rylan Uptight Squadron wrote: »

Do people need me to start dropping hints?

2 people finished this so far. One of them is a boards user. No idea who the other lad is.

It took me about 10 minutes and then

I got as far as the last bit and found i had to have a pass for the zip.

I don't enjoy encryption and couldn't be arsed going further.
Other than that it was fun.

h57xiucj2z946q

moneymad wrote: »

It took me about 10 minutes and then

I got as far as the last bit and found i had to have a pass for the zip.

I don't enjoy encryption and couldn't be arsed going further.
Other than that it was fun.

You don't have to do any decrypting yourself. If you figure out what's happening, you'll see...

endz

I enjoyed this one thank you

h57xiucj2z946q

endz wrote: »

I enjoyed this one thank you

Sweet, Congrats.

h57xiucj2z946q

Hint:

http://java.decompiler.free.fr/?q=jdgui
http://www.wireshark.org/download.html

syklops

Im using jad, but keep getting the error:

Parsing GovernmentFileStore.jar...JavaClassFileParseException: Not a class file (incorrect magic)

Im guessing thats not intended?

h57xiucj2z946q

syklops wrote: »

Im using jad, but keep getting the error:

Parsing GovernmentFileStore.jar...JavaClassFileParseException: Not a class file (incorrect magic)

Im guessing thats not intended?

jad is probably outdated, use this one instead: http://java.decompiler.free.fr/?q=jdgui
Works for me

moneymad

had another bash of of it today. i was using these tools since the start.
I don't know java but i was able to spot it.


cool challenge. thanks damo

syklops

Ok, so I

decompiled the app, found the username and password, logged in, and can upload files.

Can I have a tip?

h57xiucj2z946q

syklops wrote: »

Ok, so I

decompiled the app, found the username and password, logged in, and can upload files.

Can I have a tip?

Sure:

Try figure out where the files are going...

Two ways to do this:

hard way: Figure out what is going on in Config.class
easy way: monitor the traffic using something like wireshark

syklops

Ok, sorry, dont mean to be spoonfed the answer.

I have

used wireshark and got the basic auth hash, then decoded the base64 and got the username and password, and was able to enter the directory. I downloaded the file memo_to_hof_admin.txt_1337017286000.zip, tried to unzip with the password I used to access that part of the site, and it says the password is incorrect. Then I looked at the config.class, but it looks like it should be the same password

What am I doing wrong?

Thanks.

Great challenge btw.

h57xiucj2z946q

syklops wrote: »

Ok, sorry, dont mean to be spoonfed the answer.

I have

used wireshark and got the basic auth hash, then decoded the base64 and got the username and password, and was able to enter the directory. I downloaded the file memo_to_hof_admin.txt_1337017286000.zip, tried to unzip with the password I used to access that part of the site, and it says the password is incorrect. Then I looked at the config.class, but it looks like it should be the same password

What am I doing wrong?

Thanks.

Great challenge btw.

No, config.class only obtains the url and authentication data where to upload the file to. you will have to look at the java program again to see what password it is setting on the zip files. Its separate from the url pass to upload.

DonkeyStyle \o/

Rylan Uptight Squadron wrote: »

you will have to look at the java program again to see what password it is setting on the zip files.

/me closes JTR

:eek: :pac:

h57xiucj2z946q

DonkeyStyle \o/ wrote: »

/me closes JTR

:eek: :pac:

I see you got it.. nice one.

i think people are looking too much into it and making it more difficult than it is.

h57xiucj2z946q

Solution:

Use JD-GUI to decrypt the .jar

take a look at LoginPanel:

private static final String username = "upload_user";
  private static final String password = "govpass34";

Thats your login!

Next find out where files are getting uploaded to. Two ways to do this.

1. Look at Config. You can xor uploadurl, username, password, against cipher. E.g. xor first byte of username against first byte of cipher, and so on for second, third, fourth...

2. A much easier way is do run wireshark when you upload a file. This way you see where files are been uploaded to. You can also snag the credentials of that area.

Take a look around to see if you find anything interesting.

Now you need to get a password for a certain archive after the steps above.
Look at SubmitFile

String password = getSHA1Hash(inputfile.getName());
      parameters.setPassword(password);

SO the password been set on an archive containing your file is just the SHA1 hash of your original file. E.g. an archive of readme.txt_3134242343.zip would have a password of "readme.txt" SHA1 hash: 451685e9efac4a6dc1fee73ec53ffb6b2c4c38b5 (hint, you can see ni the method byteArray2Hex, called by getSHA1Hash at the bottom, it returns the hash in lowercase.

Open that special archive you found and continue.