Monday, November 12, 2012
Hackin' the Boss [Part 1]
After attending a local OWASP chapter conference, DA "The Boss" decided that he wanted to replicate the CTF experience for those of us on the Analysis Team at DSWRX in Providence.
Here's a quick write-up of my experience as a simulated "Pentester" (a complete 180 from my normal work role).
The Server was built using the latest [as of September 2012] Ubuntu Server with a typical, updated LAMP installation. All source code for the actual CTF WebApp was obtained from the previously mentioned OWASP meeting. This setup led to the first problem: the updated PHP was not vulnerable to the Metasploit module: /unix/webapp/php_eval, and thus one of the 12 Flags was not obtainable. 11 to go!
I only looked at the actual webpage, a domain provided by a co-worker, once to look for potential injectionable parameters. Since I had not previously taken part in a scenario like this, I wanted to experiment with some of the tools packaged with the excellent BackTrack 5r3.
I started up my local version of BackTrack, logged into a not-at-all suspicious VPN, and fired up burp (free edition) to start mapping the entire website. Immediately I saw that the typical "test.php" page was still enabled, which typically provides a verbose listing of server and application configurations. I mentioned this to "The Boss" eventually and it was then disabled. Following that I found the first flag using a relatively simple XSS. The second tag quickly followed as I was browsing through the completed spider report and found a URI for "flag" (a text file in /var/www/). Having exhausted the obvious options, it was time to start reading the source code!
From a quick review of the source, I was able to find: an additional flag (#3), default MySQL credentials (Hard-coded), and a parameter to test for SQLi. After a quick test it was pretty clear that the "id" parameter was vulnerable to SQLi, and thus after some useless spamming of the webpage with W3AF, it was time to get down to business.