0423: We Like to Sell Bricks
Writeup for the Intigriti April 2023 challenge π₯
Last updated
Writeup for the Intigriti April 2023 challenge π₯
Last updated
Find the flag and win Intigriti swag.
Credentials are provided to log in as a normal user; strange:monkey
.
The intended path is to check the cookies and see the account_type
which determines the account role.
On the backend, the MD5 hash of the account_type
cookie is checked to see if the user has access to exclusive (pro) features:
However, there is a type juggling vulnerability meaning that an attacker can simply generate an MD5 hash that begins with 0e
, e.g. RSnakeUecYwT6N2O9g --> 0e126635149374886577950106830662
(more example hashes).
This is because when hashes start with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float
, meaning that loose comparisons, e.g. 0e126635149374886577950106830662 == "0"
return true .
According to the SQL DB, the admin role has a hash beginning with 0e
, e.g. ('admin','af1_2@df223g-$swea','RSnakeXKPLlGdf2gYf'),
. Therefore, replacing the cookie with one of these magic values will give the attacker access to new content.
Note: to help players along, a hint is also provided in the HTML comments of index_error.php
, which will display in error message: dev TODO : remember to use strict comparison
Viewing the source of the new dashboard.php
will reveal a comment:
Alternatively, players could conduct some content discovery and parameter fuzzing to get to the hidden /custom_image.php
endpoint.
If the player fuzzes the parameters for the custom_image.php
endpoint, they'll find https://challenge-0423.intigriti.io/custom_image.php?file= produces a Permission denied!
error.
The endpoint is vulnerable to LFI but ../../
are filtered and a simple regex will block www/web/images
:
The player needs to bypass this, e.g. with https://challenge-0423.intigriti.io/custom_image.php?file=www/web/images/......\flag.txt
This will load a corrupted image, by copying the base64 of the image from the html and decrypting it you can get the content of this file:
Decoded:
Now the player has a new endpoint to visit: https://challenge-0423.intigriti.io/e7f717ed-d429-4d00-861d-4137d1ef29ab/9709e993-be43-4157-879b-78b647f15ff7/admin.php
Whenever you visit this endpoint, as you are not an admin, you will be redirected to the login page.
Since the redirect is done incorrectly, loading the page content in the response and adding a simple location header, we have two possible ways to display the page.
Response manipulation; just change the 302 to 200 and remove the location
header with burp (match and replace), or simply intercepting the response and editing it manually.
Edit the username
cookie and set it from strange
to admin
, since the checking for the admin page is performed only on that cookie (weak).
Each time the admin page is loaded, the site logs the User-Agent
(as hinted in the logs endpoint). Since the user agent is saved by executing a terminal command, that header is vulnerable to command injection.
There are some security checks, such as removing some characters, spaces, and some functions but locked functions can be easily bypassed, e.g. cucurlrl
will become curl
:
As for the spaces, one way to bypass them is to use ${IFS}
or {ls,-la}
(commas will be replaced with spaces).
A simple payload to run a RCE would be to put this in your user agent:
For a shell: