Tue, Jun 22, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Our next realistic mission asks us to take down the Elbonian National Republican Party website on behalf of the Anarchists of Elbonia.
Once again, I will explore the website to try and see if I can find anything that is interesting. Inspecting the homepage, we can see that the root folder hosts all the front facing webpages: {index.php, news.php, debates.php, members.php, newsletter.php, mailinglist.php, speeches.php, press.php, economy.php}. Furthermore, all images are hosted in a subfolder named /images/. Accessing the ‘News’ webpage from the navigation bar, we can see that it defaults to the following querystring ?month=all. Testing the following query string ?month=test results with the following error message:
MySQL Error Reported: row "test" does not exist
Error in query: "SELECT post, date FROM newsTable WHERE month ="test"
This suggests that this page is sucsceptible to SQL injection. Moving on, the ‘Newsletter’ webpage has an interesting message stating:
One thing to remember though, when you want to order our newsletter, make sure you have the hidden login url and your password handy.
Thus, it is possible that there is some sort of hidden page that we could try to access that can have further vulnerabilities. Moving on, the ‘Mailing List’ has a form that makes a POST request to /addmail.php with an email as a field. Entering an email test results with the message:
"test" is not a valid email address
Entering an email test@test.com results with:
"test@test.com" could not be added to "emails_table"
Please Contact Administrator
We now know two tables that are present within their database: {newsTable, emails_table}.
Accessing the ‘Speeches’ webpage, we can see that it hosts a form that makes a POST request to /speeches2.php with a speech select field that returns that the speeches are not yet ready to be displayed. Sending a custom POST request using Postman - with Postman Interceptor to quickly setup all the proper headers/cookies - where the speech value is not set, results with the following error message:
The following speeches have been given already:
SPEECH: could not be found
Warning
[2] include(C:\Program Files\Apache Group\Apache2\ENRP\oldsite\speches.php): failed to open stream: No such file or directory
Error on line 18 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
Warning
[2] include(): Failed opening 'C:\Program Files\Apache Group\Apache2\ENRP\oldsite\speches.php' for inclusion (include_path='.:/usr/local/share/pear')
Error on line 18 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
Warning
[2] include(C:\Program Files\Apache Group\Apache2\ENRP\21232f297a57a5a743894a0e4a801fc3\speches.php): failed to open stream: No such file or directory
Error on line 24 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
Warning
[2] include(): Failed opening 'C:\Program Files\Apache Group\Apache2\ENRP\21232f297a57a5a743894a0e4a801fc3\speches.php' for inclusion (include_path='.:/usr/local/share/pear')
Error on line 24 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
Warning
[2] include(C:\Program Files\Apache Group\Apache2\ENRP\admin\passes.php): failed to open stream: No such file or directory
Error on line 25 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
Warning
[2] include(): Failed opening 'C:\Program Files\Apache Group\Apache2\ENRP\admin\passes.php' for inclusion (include_path='.:/usr/local/share/pear')
Error on line 25 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
Whilst this error doesn’t give anything away, it does suggest that there is an ‘admin’ portal within the /admin/ path, with a possible endpoint being /admin/passes.php.
Accessing the ‘Press Releases’ webpage, we can see the same behaviour, a POST request is made to /readpress.php with a release field that returns a press release but all press releases are not yet ready to be displayed. Sending a custom POST request using Postman, where the release value is not sent, the following error message is displayed:
MySQL Error: "" row does not exist in table "press_table";
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in C:\Program Files\Apache Group\Apache2\ENRP\readpress.php on line 33
Error in query:
error_reporting(E_ALL);
$service_port = "80";
$address = "localhost";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
$in = "GET /speeches/passwords/" . md5('Speeches') . "";
$in .= "REFERER: http://ENRP/get_speeches_passwords_referer\n";
$in .= "\n\n";
$out = '';
socket_write($socket, $in, strlen($in));
echo "OK.\n";
include(\"C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes\special.php\");
include(\"C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes\f
ooter.php\");
include(\"C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes\arrange.php\");
?>
This error message, compared to the one prior, is much more important. Firstly, it shows that there exists an endpoint marked as /speeches/passwords/ that holds a file that is obfuscated as it is the MD5 hash of the string Speeches. Futhermore, it shows that there exists another directory named /includes/ which hosts the following pages: {special.php, footer.php, arrange.php}.
Finally, the initial investigation is complete. The following structure is so far evident:
My first step will be to try and fetch this /speeches/passwords/ file that was shown in the prior error message. Firstly, using the Linux terminal, we can find the hash of the word Speeches by using the following command: echo -n Speeches | md5sum. This outputs 7e40c181f9221f9c613adf8bb8136ea8 as the md5 hash. Inputting the path /speeches/passwords/7e40c181f9221f9c613adf8bb8136ea8, results with a directory listing with a single file within this directory named passwords.fip. In this file, there contains only one username:password combo, that being 7bc35830abab8fced52657d38ea048df:21232f297a57a5a743894a0e4a801fc3. Since they’ve already used MD5 as their hashing algorithm, I will assume that the username:password combo have both been hashed using MD5. Using JohnThe Ripper to crack these hashes, I got the following output for the unhashed username:password pair: moni1:admin.
Now that I have a username:password pair, my next step is to try and find that admin portal that was exposed by the aforementioned error message. Simply visiting the path /admin/ shows the login page. Entering our cracked credentials, we receive a message saying that:
"admin" does not match password for "moni1"
This suggests that this is obviously not the correct credentials for this login form. One thing to note, from that same error that exposed the /admin/ path, is that there are two other paths: {21232f297a57a5a743894a0e4a801fc3/, oldsite/}.
Accessing the /oldsite/ path, you get a message saying the following:
Devs, we need to destroy the password "imhomealone" because, it's been leaked somehow - Daruman - August 9th
Accessing the /21232f297a57a5a743894a0e4a801fc3/ path, we are presented with another login page. Entering the cracked credentials that I obtained into this portal results with a message saying I have completed the mission!
See you all in the next one!