Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Our next realistic mission asks us to hack into the school district server of our client and clear the list of blocked sites that students could access by breaching their admin portal.
As always, I will begin to approach this mission with a simple evaluation of how the frontend works. I will try to visit all accessible pages through the website and try to find anything that is interesting. The first thing that you notice is the following call stack when trying to acces the path /:
At the top of the webpage we can see a form that asks us to complete the URL of a page that we wish to access. Typing a test URL of google.com and pressing submit, we can see that the following call is made: /missions/realistic/12/cgi-bin/page.pl?url%3Dhttp%3A%2F%2Fgoogle.com, and after a webpage is returned, the iframe makes a call to /missions/realistic/12/cgi-bin/page.pl?url%3Dhttp%3A%2F%2Fgoogle.com which loads a ‘this page is blocked’ message. Shifting my attention back to the Heartland School District webpage, we can see that there are three main types of pages: {teacher pages, student work, testing scores}. The only thing that is interesting to note within all of these pages is the webpage of the student ‘Joey Simons’. On his webpage, there was a link to another page - /jsimons/guest.html - which hosts a form that calls /cgi-bin/guest.pl on some inputed user text and a hidden field named action that is set to write.
Now that the initial investigation is complete, its a little unclear as to the way forward. My first initial thought would be to try and figure out how the /cgi-bin/internet.pl script works. Entering random URLs, it is clear that it generates the webpage that we see - with the embedded iframe - and ensures that the iframe has the correct query string to the /cgi-bin/page.pl script. In turn, the /cgi-bin/page.pl script somehow determines whether the URL is allowed or not. Now, it is evident that the URI protocol that is suggested to be used is http, but I wonder if we could perhaps use a different protocol in order to find out more about the machine that this server is hosted on. More specifically, is it possible to use the file URI protocol in order to try and fetch file structure of the server. Trying the following URI: file:///C:/ succeeds in giving us a page for the ‘Index of file:///c:/’. The explanation of this URI is the following: Use the file:// protocol to fetch something off of the localhost (/) and fetch the C drive (C:/). We want to fetch the C:/ drive as it is the default drive for Windows and Unix systems. This would be handled as follows: the page.pl script will make a call using the file:// protocol to / - localhost - (which will only work if this service is available) to retrieve the contents of C:/ and then will send the ouput back to my client.
Now, whilst we can’t use the outputed page directly to traverse the file structure of this server, we can use it’s output to modify our URI in order to further traverse the server’s directory. Traversing the directory, we see that the following URI: file:///C:/WEB/HTML shows an interesting HTML file named heartlandadminpanel.html. Since this is in the HTML folder, I should be able to access this page directly by going to the following path: /heartlandadminpanel.html. This indeed did result with a login page for the admin section of the school district website. Looking at source code of the form, we can see that it makes a GET request to /cgi-bin/heartlandadminpanel.pl with a username and password field. Trying out some default username:password combinations results with nothing, so whilst I have found the admin portal page, I am once again pushed back to the drawing board.
Shifting my attention back to the /jsimons/guest.html page, and inspecting which calls are made, we can see that two calls are made once we submit a message to be added to the guestbook. The first call being /cgi-bin/guest.pl?action=write&text= and then a subsequent call to /cgi-bin/guest.pl?action=read&file=guestbook.txt. This suggests that we could possibly use the /cgi-bin/guest.pl script to read files that are not intended to; this would only be possible if they do not have any whitelist/blacklist for possible files that could be read using that script. Our target file to read would be /cgi-bin/heatlandadminpanel.pl in order to see whether we can figure out how the script works. Accessing the following path: /cgi-bin/guest.pl?action=read&file=heartlandadminpanel.pl does indeed give us the contents of this file as wanted. Looking at the code, we can see that there are some admin credentials hardcoded into this file: jbardus:heartlandnetworkadministrator. We can now use these credentials to access the admin panel.
Going back to /heartlandadminpanel.html, and entering the admin login credentials, we are presented with a form that can be used to add words to a search blacklist. There is a very convenient ‘clear all’ button which I will press to wipe the entire blacklist. With the press of this button, I have now completed this challenge.
See you all in the next one!