Back to Posts

Share this post

VoidSec CTF: Secure the Flag – Writeup

Posted by: voidsec

Reading Time: 8 minutes

It has been a while since my last blog post, so I’m (finally) writing the write-up of the: VoidSec CTF Secure the flag.

The CTF was made possible thanks to the sponsorship with Bitdefender that put some licenses for its product as a prize for the first three winners.

This CTF was web based, no binary exploitation nor reverse engineering and/or crypto was involved.

Before I dive into deep, let me explain what was the goal of this CTF and why it is different from many others:

  • All the vulnerabilities were developed in order to make them impossible to be found with automatic commercial tools (Acunetix, Netsparker, …), overall such tools were banned from the competition with an automatic payloads detection with no false positives. Only real players were allowed to compete.
  • All challenges has been inspired from real situations and ACTUAL vulnerabilities, mainly because as a CTF player I really hate when I found improbable cyphers (Vigenere in 2017? Seriously?), improbable situations and too ‘forced/unrealistic’ bugs. Lastly, this contest was made to let the players think about the famous “butterfly” effects and let them chain even the smallest and insignificant vulnerability to reach the goal.
  • It was like a real penetration test assignment. The aim of the CTF wasn’t to reward the fastest one able to solve it but was to assign the prize to the three most professional ones. In fact, the main goal of the CTF was not to grab all the flags and simply submit them but players had to discover all the vulnerabilities, find and download the source code, fix it and write a report of the full penetration test and source code review plus the patches.
  • I would just like to mention that this CTF has a very short background story based on the Fight Club novel and many different false path that lead to troll and funny Easter eggs.

Let me tell you in advance that the results were very disappointing.

Here you can see the “mind map” of the CTF, I always write one of them during the development phase because it helps me to go through all the “planted” vulnerabilities, keep track of the players status as well as to review the entire platform and to add some bonus content or troll.

As you can see, even a web only, low-medium level skills platform with a low number of interactions between files and with only one path to solve the entire platform can grow a lot as a mind map.

However, let’s see how this platform can be solved, I will not spoil all the fun and reveal all the vulnerabilities and every caveat, troll or Easter eggs because someone of you could like to play with it, in this case PM me on Twitter.

Step 1, Information Gathering:

Once registered, every player received a link like this:
But if someone tried to visit the website nothing would be shown.

Information Gathering is the key, I wouldn’t stress this phrase enough, it is always the key.

Ok, next thing to do is to perform a full port scan against the machine and discover what kind of ports and services are running:

nmap -Pn -sS -p- -T4 -vv -oA voidsec-ctf target

After some minutes this should be, pretty much, the results:

22/tcp    open     ssh
62222/tcp open     unknown
65324/tcp open     unknown

I would like to spend a minute about these ports. If 22 should be an SSH, 62222 and 65324 are, for sure, something that should be investigated more.

In this case, 22 was an SSH honeypot (expert penetration testers or players should be able to identify them), however I have a rolling project on GitHub that should be able to identify major honeypots based on different tests and results.

Port 62222 was my real SSH server that in the first release of the CTF I left visible and not firewalled, it was possible to connect only with my key but usually is not recommended to let SSH exposed. (You know, brute-force attacks)

Port 65324 was the real web server port and the place to start the CTF.

Once reached the webserver will reply with this page:

As you can see there are two buttons and four different links.

Fist button will provide some hints about the CTF, mainly good practices and thinking out the box mindset in order to break through the platform. The second one will spawn a pop-up with this message: “In my day I used to start with a bit of healthy Information Gathering”.

Links redirect to homepage, registration of a new account on the game platform, login and Rules & ToS.

First things first, brute force files and directories:

  • /backup-recovery (backup folder)
    list.bak (user list of probable valid user on the platform)
  • /default (troll folder)
  • /eLprZw6c (admin folder with non-dictionary word name, was found in robots.txt)
    Error 403 – Forbidden         This interface is only accessible from:
    BTW: XSS in cookie and authentication bypass (changing the value to the expected one)
  • /include (config files and old backup files here)
  • config.php.bak (old database config settings and parameters)
  • /phpmyadmin (very troll folder, fake phpmyadmin installation with rickroll video)

Step 2, User Enumeration:

The register.php page is affected by user enumeration flaw and combining this with the user list that we gain before let us discovery valid usernames for the platform.

Once discovered a valid username and dictionary guessed the password for it (rockyou is still your friend) you will be able to login to the secure club.

Secure club plant a very strange cookie once logged in:

Once decoded from b64:

I will skip the explanation of this cookie and its values (there is more you can discover about it).

However, this cookie (in one of its values) was SQL injectable.

Step 3, Data Dump:

At this point you should be able to dump the available users from the database.

One of them is glowing in the night because is the only one with a different user type (something that could be an admin or a user with different privileges).

Step 4, Password Cracking:

Once dumped the password, recovered the right salt, and password format (information gathering again), you should be able to crack the hash in less than 40m, depends on your hardware configuration.

Step 5, Fu*k The System:

At this point you have an admin account and its password, you are finally able to login to the admin interface and try to upload a shell (there is an upload functionality that you can try to exploit). Now you can choose: in some version of the platform a PHP shell (and some extension escaping techniques) should be enough, in another version (with an increased difficult level) you should exploit the XML External Entities to read files from the file system.

There is a very specific folder (you cannot miss that) with inside it a file and a password, now you should test all the Open SSL cypher and find the right one. Once decrypted you will be able to read the source code of the CTF, perform the source code auditing (and maybe discover some missing vulnerabilities) and finally write and submit the report.

Conclusion, why I am so disappointed?

Mainly because the first version of this CTF was “submitted” to the Italian “underground“ and cyber professionals but these were the results of the first manche:

One hundred players, eight of them were banned by the detection tools (they were using [unlicensed] commercial tools which name I’ve stated at the beginning), only two users were able to reach the second step and there they remained until the end of the competition. No one could reach the end and get the source files, only four out of twelve vulnerabilities were found and in some ways exploited, I only received one (very) partial report.

Now, apart from random players, students and people that do not proper belong to this field, many experts (or such defined) participated to this competition and no one of them was able to solve a low-medium level scenario. In my opinion, this is something to think about: most contestants couldn’t think like a professional hacker.

Preventing one of the most common question after this article: Where can I find/play/download this platform?

You cannot, at least now, mainly because I’m using it during one of the multi-steps of my recruitment process. But never say never…



Back to Posts