RSS
 

Posts Tagged ‘exploit’

Hackvent 2019: Day 15

15 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 15 December 2019

Challenge

HV19.15 Santa’s Workshop

Page snapshot:

Solution

NOTE: Unfortunately, the server for this challenge was broken for a long time and caused a lot of pain and suffering. In the end it took 6 hours longer than it needed to.

We land on a nice landing page with a counter which counts upwards. We do some snooping around to see what resources are used on the page and come across two javascript files of interest.

config.js

mqtt.js

Basically, we are authenticating with a MQTT messaging service. We subscribe to the topic 'HV19/gifts/'+clientid initially which returns the number of gifts made by the elves so far which increases by 1-3 every second or so:

We see a commented out topic  'HV19/gifts/'+clientid+'/flag-tbd'  but don’t get anything when we subscribe to it. We have our client id which was initially 0395226010678529 in our local storage. We also decide to convert the calls on the page into a python script for ease of testing. After subscribing to the wildcard #  topic we don’t see any extra messages but we do something interesting when subscribing to the $SYS/# topic. We see the version of the MQTT server returned as:

We inspect the CVE-2017-7650 and find the following releases including some commits which patches the issue:
https://mosquitto.org/blog/2017/05/security-advisory-cve-2017-7650/
https://github.com/eclipse/mosquitto/commit/9af3c6958fe1b2c653a7952f6f144bcf6ecfbc0d
https://github.com/eclipse/mosquitto/commit/cd17ca45cd313dc00480091505f708858db73ee9

In short we are told:

From the official patches we see the fix involves checking to see if the client_id or username contains the wildcard #  or +  symbols. If so, the connection is refused.

However, we notice that our  client_id is only rejected if it starts with a  #  or +  symbol. Therefore the elves patch incorrectly used a string startswith check instead of a string contains check. Also we consider the commented out topic in config.js which is  HV19/gifts/'+clientid+'/flag-tbd and guess that the final flag will look something like this  HV19/gifts/0395226010678529/HV19{flag_here}. It seems like our user workshop does not have permissions to read from this topic even though its nested under our client id.

Therefore, we try the client id 0395226010678529/# which should match the flag topic name if we subscribe to all topics (i.e. subscribe to #  topic).

This is the script we ended up using:

Running this spits out the following response which contains our flag as part of the topic name:

Flag:  HV19{N0_1nput_v4l1d4t10n_3qu4ls_d1s4st3r}

 
No Comments

Posted in Hackvent 2019