Post

ASCWG-2022 Quals

Posted Updated
By Mohamed Magdy Abumuslim - أبومسلم 2 min read

Methodology

First of all you need to understand that CTF not always like real life senarios.

You need to have a methodology only for CTFs.

Begain with viewing the page source to see all the endpoints and hidden hints in HTML.

Check robots.txt usually you will find a hint.

Analyze the requests using burp to understand the challenge.

For example :

One of the challenges i will provide a POC for is using JS files so i read the JS code to know where to dig. Before playing any web challenges you need to know at least OWASP top 10 because you will perform threat modeling for the challenge. For example :

If we have a challenge with a login form what attacks we can peform ?.

[ Authentication bypass (**Brute-force - SQLi - HTTP - Default Creds - Responce Manipulation - etc** ) ].

Konan :

level : Easy

When you open the challenge link you will found a login form.

1-b-qn-Ka-J65i9p-mwe-Kv-L0-FQ

As i mentioned before one of the attacks on the login page is default creds, So let`s try use admin as a username.

Let’s check the request using Burpsuite [Proxy].

2022-08-05-19-18-29-NVIDIA-Ge-Force-Overlay-DT

The application is using JSON as the content-type.

After using admin as a username it shows an OTP form, let`s check the request using burpsuite.

2022-08-05-19-17-57-NVIDIA-Ge-Force-Overlay-DT

I started to manipulate the response, If the errors is false we can go ?, let`s see.

I will use match & replace option in the burpsuite.

You will find it in Proxy tab > Options then scroll down.

Press on the add button, it will show this windows

lol

Type : What i want to match on and replace it, here i choosed response body because we need to modify errors in the respone.

Match : What you want to match on.

Replace : What do you want to replace it with.

last step mark the check box beside the condtion.

2022-08-05-19-18-42-NVIDIA-Ge-Force-Overlay-DT

Now let’s repeat the process and login with admin.

falg

OTP Bypassed

Conclusion :

What we did here called Response maipulation. Response manipulation happens when the developer trust the end user input and give him the ability to change data.

Evil-Volunteer :

level : Medium

When you open the challenge line you will find login and registration buttons.

1-Pn0k-A3d-E-zq6-Ke-H-1do8-A

I registered an account with m19o:m19o.

After login i found an upload function.

2022-08-05-17-55-02-Home-Page-Mozilla-Firefox Guess the vulnerability.

Yes it will file upload vuln.

First when i saw .zip extension i thought i will be RCE from zip file Fle-Upload-Unzip.

If you want to know more about it check this link

So i started my test cases, changing the extension after uploading the image to php but didn’t work, changed the content-type but all of that didn`t work.

It was easier than that, i needed to inject the RCE into the image.

2022-08-05-17-55-44-NVIDIA-Ge-Force-Overlay

I used my backdoor to get the flag.

2022-08-05-17-52-21-Home-Page-Mozilla-Firefox

Conclusion :

Here we injected PHP code into the image because the developer didn’t check the content of the image and image was rendered as a PHP code.

CTF
CTF
This post is licensed under CC BY 4.0 by the author.