RSS
 

Posts Tagged ‘input validation’

Hackvent 2019: Day 15

15 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 15 December 2019

 

Challenge

HV19.15 Santa’s Workshop

Page snapshot:

Solution

NOTE: Unfortunately, the server for this challenge was broken for a long time and caused a lot of pain and suffering. In the end it took 6 hours longer than it needed to.

We land on a nice landing page with a counter which counts upwards. We do some snooping around to see what resources are used on the page and come across two javascript files of interest.

config.js

mqtt.js

Basically, we are authenticating with a MQTT messaging service. We subscribe to the topic 'HV19/gifts/'+clientid initially which returns the number of gifts made by the elves so far which increases by 1-3 every second or so:

We see a commented out topic  'HV19/gifts/'+clientid+'/flag-tbd'  but don’t get anything when we subscribe to it. We have our client id which was initially 0395226010678529 in our local storage. We also decide to convert the calls on the page into a python script for ease of testing. After subscribing to the wildcard #  topic we don’t see any extra messages but we do something interesting when subscribing to the $SYS/# topic. We see the version of the MQTT server returned as:

We inspect the CVE-2017-7650 and find the following releases including some commits which patches the issue:
https://mosquitto.org/blog/2017/05/security-advisory-cve-2017-7650/
https://github.com/eclipse/mosquitto/commit/9af3c6958fe1b2c653a7952f6f144bcf6ecfbc0d
https://github.com/eclipse/mosquitto/commit/cd17ca45cd313dc00480091505f708858db73ee9

In short we are told:

From the official patches we see the fix involves checking to see if the client_id or username contains the wildcard #  or +  symbols. If so, the connection is refused.

However, we notice that our  client_id is only rejected if it starts with a  #  or +  symbol. Therefore the elves patch incorrectly used a string startswith check instead of a string contains check. Also we consider the commented out topic in config.js which is  HV19/gifts/'+clientid+'/flag-tbd and guess that the final flag will look something like this  HV19/gifts/0395226010678529/HV19{flag_here}. It seems like our user workshop does not have permissions to read from this topic even though its nested under our client id.

Therefore, we try the client id 0395226010678529/# which should match the flag topic name if we subscribe to all topics (i.e. subscribe to #  topic).

This is the script we ended up using:

Running this spits out the following response which contains our flag as part of the topic name:

Flag:  HV19{N0_1nput_v4l1d4t10n_3qu4ls_d1s4st3r}

 

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 11

11 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 11 December 2019

 

Challenge

HV19.11 Frolicsome Santa Jokes API

 

Html file mirror: FSJA API Description

Solution

We have the spec for the FSJA API that the elves have made. We use Postman to play around with the API to get a feel for how it works.

Following the instructions, we are able to register a new user and authenticate to get a token.
We use the following payload for our user data:

Upon logging in with the /fsja/login  endpoint we get a token which looks like this:

The token looks like base64 encoded data. In fact, it happens to be a JWT token.

We finally use the /fsja/random  endpoint to get a joke:

The platinum field stands out to me the most.
As a random hunch, I decide to register a user and provide the  platinum field value in the payload myself like so:

I generate another joke and the API kindly provides us with our flag:

Flag:  HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}

 

Bonus

This challenge also contained the solution to HV19.H2 Hidden Three

 
No Comments

Posted in Hackvent 2019