Hack The Box – Response

Ever since I played Hack The Box, I have wanted to create a box myself. As the time went by, I encountered so much cool vulnerabilities and techniques both in real-world engagements and CTFs, which I thought would be fun to put in a box. The result of this is Response.

Introduction
User (→ bob)
    – Enumeration
    – Server Side Request Forgery
    – Internal Chat Application
    – Cross-Protocol Request Forgery
Scanning Script (bob → scryh)
    – Make own HTTPS Server being scanned
    – Setting up own DNS Server
    – Setting up own SMTP Server
    – Directory Traversal
Incident Report (scryh → root)
    – Decrypting Meterpreter Session
    – Restoring RSA private key

Continue reading “Hack The Box – Response”

From Single / Double Quote Confusion To RCE (CVE-2022-24637)

Open Web Analytics (OWA) is an open-source alternative to Google Analytics. OWA is written in PHP and can be hosted on an own server. Version 1.7.3 suffers from two vulnerabilities, which can be exploited by an unauthenticated attacker to gain RCE, when chained together.

The cause of the first vulnerability (CVE-2022-24637) is a single quote / double quote confusion, which leads to an information disclosure. The header of an automatically generated PHP cache file containing sensitive information is defined as '<?php\n…' instead of "<?php\n…". This leads to a literal backslash and n character being written instead of a newline character resulting in a broken PHP tag. Because of this the file is not interpreted as PHP code, but delivered in plain leaking sensitive cache information. This information can be leveraged to set a new password for the admin user.

The second vulnerability is a PHP file write, which requires admin privileges. The internal settings for the logfile path as well as the log level can be changed by manually crafting a POST request. This way the logfile can be set to a PHP file. By also increasing the log level and generating an event with attacker controlled data, PHP code can be injected into this logfile. This results in the possibility to execute arbitrary PHP code.

I would like to thank Peter Adams, the creator and maintainer of OWA who released a patch for the issue only one day after my initial notification. I was really amazed by the quick and professional reaction. There are security issues in each and every software, but the difference is how these are dealt with.

Introduction
Single / Double Quote Confusion
PHP file write
Demonstration
Patch and Mitigations
Conclusion

Continue reading “From Single / Double Quote Confusion To RCE (CVE-2022-24637)”

ASIS CTF Quals 2021 – ASCII art a a service

The ASIS CTF Quals 2021 (ctftime.org) took place from 22/10/2021, 15:00 UTC to 24/10/2021, 15:00 UTC providing a total amount of 24 challenges.

One of those challenges I really enjoyed was ASCII art as a service. This article contains my writeup for the challenge and is divided into the following sections:

Challenge Description
Source Code
Solution

Continue reading “ASIS CTF Quals 2021 – ASCII art a a service”

Hacky Easter 2021 writeup

HackyEaster was awesome again. From a technical point of view there weren’t too much new things, but the creativity of the provided challenges made it really fun. Including the little teaser challenge there were a total amount of 37 challenges. These challenges were divided into different levels. You could only proceed to the next level, if you have earned enough points in the current level. I really liked that new idea.

Continue reading “Hacky Easter 2021 writeup”

HACKvent20 writeup

This year’s HACKvent hosted on competition.hacking-lab.com has been as great as every year.
There was a total amount of 28 awesome challenges with varying difficulties.
HV20.(-1) Twelve steps of christmas
HV20.01 Happy HACKvent 2020
HV20.02 Chinese Animals
HV20.03 Packed gifts
HV20.04 Br❤celet
HV20.05 Image DNA
HV20.13 Twelve steps of christmas
HV20.14 Santa’s Special GIFt
HV20.15 Man Commands, Server Lost
HV20.16 Naughty Rudolph
HV20.17 Santa’s Gift Factory Control
HV20.18 Santa’s lost home
HV20.19 Docker Linter Service
HV20.06 Twelve steps of christmas
HV20.07 Bad morals
HV20.08 The game
HV20.09 Santa’s Gingerbread Factory
HV20.10 Be patient with the adjacent
HV20.11 Chris’mas carol
HV20.12 Wiener waltz
HV20.20 Twelve steps of Christmas
HV20.21 Threatened Cat
HV20.22 Padawanlock
HV20.23 Those who make backups are cowards!
HV20.24 Santa’s Secure Data Storage
HV20.H1 It’s a secret!
HV20.H2 Oh, another secret!
HV20.H3 Hidden in Plain Sight
Continue reading “HACKvent20 writeup”

Hacky Easter 2019 writeup

As every year hacking-lab.com carried out the annual Hacky Easter event with 27 challenges. As usual the variety of the challenges was awesome. I actually got full score this year 🙂 Many thanks to daubsi, who gave me a nudge once in a while on the last challenges (you can find his writeup here).
Easy
01 Twisted
02 Just Watch
03 Sloppy Encryption
04 Disco 2
05 Call for Papers
06 Dots
07 Shell we Argument
08 Modern Art
09 rorriM rorriM
Medium
10 Stackunderflow
11 Memeory 2.0
12 Decrypt0r
13 Symphony in HEX
14 White Box
15 Seen in Steem
16 Every-Thing
17 New Egg Design
18 Egg Storage
Hard
19 CoUmpact DiAsc
20 Scrambled Egg
21 The Hunt: Misty Jungle
22 The Hunt: Muddy Quagmire
23 The Maze
24 CAPTEG
Hidden
25 Hidden Egg #1
26 Hidden Egg #2
27 Hidden Egg #3
Continue reading “Hacky Easter 2019 writeup”

HACKvent18 writeup

For the sixth time in a row now hacking-lab.com carried out the annual HACKvent. Each day from the 1st of december until the 24th a new challenge is published. I would have loved to spend more time on it, but time is a rare resource especially on the days before christmas 😉 After all I managed to solve 21 of 24 tasks:

Easy
Day 01: Just Another Bar Code
Day 02: Me
Day 03: Catch me
Day 04: pirating like in the 90ies
Day 05: OSINT 1
Day 06: Mondrian
Day 07: flappy.pl
Medium
Day 08: Advent Snail
Day 09: fake xmass balls
Day 10: >_ Run, Node, Run
Day 11: Crypt-o-Math 3.0
Day 12: SmartWishList
Day 13: flappy’s revenge
Day 14: power in the shell
Hard
Day 15: Watch Me
Day 16: Pay 100 Bitcoins
Day 17: Faster KEy Exchange
Day 18: Be Evil
Day 19: PromoCode
Day 20: I want to play a game
Day 21: muffinCTF (Day 1)
Day 22: muffinCTF (Day 2)
Day 23: muffinCTF (Day 3)
Final
Day 24: Take the red pill, take the blue pill

Continue reading “HACKvent18 writeup”

Google CTF 2018 (Quals) – writeup JS safe 2.0

The qualifications for the Google Capture The Flag 2018 (ctftime.org) ran from 23/06/2018, 00:00 UTC to 24/06/2018 23:59 UTC.

The CTF was worked out very well. There have been plenty of interesting and creative challenges.

This time I decided to focus on the category web and managed to solve the challenge JS safe 2.0, which was the easiest one of the web-challenges based on the amount of solves. Nevertheless it really took my some time to dodge all the pitfalls I stumbled upon while solving the challenge.

Continue reading “Google CTF 2018 (Quals) – writeup JS safe 2.0”