Hackvent 2019: Day 13

13 Dec 2019
CTF: Hackvent 2019
Link to challenge:
Date Completed: 13 December 2019



HV19.13 TrieMe



We are given a webpage with a form and the java source to the bean that serves that page.

Java source:

Initially, we try a few different approached to get our flag. We try to exploit the JSF Viewstate assuming that the state is stored client side which it is not. This post is a good read on the topic.

We also try to navigate to our flag located in the file /data/flag.txt but this also fails. However, we do manage to access the WEB-INF/web.xml file here:…/WEB-INF/web.xml.jsf

Finally, we notice that the default value for the input text field in the form has the value of getTrie() there which returns “INTRUSION WILL BE REPORTED!” for now. Thus, we correctly assume the value of this text is used as an argument to  setTrie() which is otherwise unused. Here we do some digging into the Apache commons library methods being used. In particular the PatriciaTrie data structure. We have a limited attack vector in the name POST parameter to the form. The only thing we can really do is add more values to the trie and it will always contain the initial value of auth_token_4835989. However, how can we use a PatriciaTrie.put()  call to remove an entry?

After some local debugging and static analysis we discover that the  PatriciaTrie.put() method does not properly compare strings that end with a null terminator character or \x00 with their null free counterpart while the  PatriciaTrie.containsKey() method does correctly distinguish them. That means we can simply pass in  auth_token_4835989\0 to our setTrie() method and have it overwrite the initial value already in the trie while changing the outcome of the  !trie.containsKey(securitytoken) check and thus the  isAdmin(trie) check.

This piece of java code demonstrates the issue:

We pass in the string  auth_token_4835989\0 to our form which gives us a message with the daily flag!

Flag:  HV19{get_th3_chocolateZ}

No Comments

Posted in Hackvent 2019


Leave a Reply