Here are few Writeups for CSAW CTF. We participate as dcua team, group of awesome people trying the best effort for the challenges.
Web 100
Solver: Aaditya Purani
Task : Orange V1
http://web.chal.csaw.io:7311/?path=orange.txt
At first the challenge points was 400, the time when I solved. Later the points were shifted to 100. We can notice here that the path is fetching orange.txt and display it. This is called ‘File Inclusion’. As mentioned in the text of the challenge our goal is to read flag.txt which in result would be the solution to this challenge. Before a month, I read the Presentation of Orange Tsai in Black-Hat and kept that in my notes thinking it might appear in a CTF someday, and today was the day.
Here is the talk : https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
On Slide #40 , he explained NodeJS Unicode failure. You may find the fullwidth latin capital letter n here
http://graphemica.com/%EF%BC%AE
The representation in UTF-16 (hex) for the letter is 0xFF2E or \xFF\x2E . As orange explained in his talk, this results into Unicode Failure while handling this and results into \x2E which is dot (.) . Now that, you understood the basics it’s finally time to exploit it.
For Black-Box Testing, my first approach to test any input is to determine it’s behavior. Let’s try this
http://web.chal.csaw.io:7311/?path=../orange.txt
We see output as WHOA THATS BANNED ! They must be having a black-list. So, I tried
http://web.chal.csaw.io:7311/?path=./orange.txt
That worked, after few more inputs. It seemed they are banned two consecutive dots. So, Now we can use the Latin n and dot to bypass and traverse back a directory.
http://web.chal.csaw.io:7311/?path=N./flag.txt
flag{thank_you_based_orange_for_this_ctf_challenge}
Bonus :
This was easy. If we have file inclusion that means we can possibly read the source code too. Why don’t do that for fun. First thing is to know what files are present in directory. So, we need to see whether server allows directory listing. You too can using
http://web.chal.csaw.io:7311/?path=#/flag.txt
We see different files, but none of them are important, so we traverse a directory back and see what’s inside it
http://web.chal.csaw.io:7311/?path=/N./#flag.txt
Great, we can see all the files but server.js is our point of interest. We can dump the file using
http://web.chal.csaw.io:7311/?path=N./server.js
and you get the source code of the challenge. Now, we can also analyse the code too
if (path.indexOf("..") == -1 && path.indexOf("NN") == -1) { //something cool } else { res.writeHead(403); res.end("WHOA THATS BANNED!!!!"); } }
Now we can confirm that our Black-Box analysis was precise.
Bottom Line:
It would be a challenging question if Organizers have kept flag with a lengthy, unpredictable file name instead of flag.txt in a directory preceding to poems. That would need all solvers to do the bonus method which I showed to solve. Remember: Directory Listing is very useful.
WEB 300
Solver: Aaditya Purani
Task: Orangev3
http://web.chal.csaw.io:7312/?path=orange.txt
This one is relatively tougher. Even if you use single dot it blocks even this time it blocks Latin n.
http://web.chal.csaw.io:7312/?path=./orange.txt
After few trial and error, I concluded that any input with .txt would be good to go through the filter. But using it alone won’t help us to traverse. To traverse, you need dots or you can try different encoding and other fuzzy stuffs. But in this case, None of those work. So, let’s dive back to basics
We saw earlier how Orange’s Unicode Failure bug worked. What if the filter is now blocking the Latin n, the point to exploit remains that your Letter in UTF-16 should have \x2E. So we should find some more letters like the same.
This is the bible to find it: http://www.fileformat.info/info/charset/UTF-16/list.htm
This looks promising http://www.fileformat.info/info/unicode/char/012e/index.htm
http://web.chal.csaw.io:7312/?path=ĮĮ/flag.txt
flag{s0rry_this_t00k_s0_m@ny_tries…}
Bonus:
This one is fun. So, now I want to read the source code, you know that we need directory listing. This time # is blocked but %23 is not blocked.
http://web.chal.csaw.io:7312/?path=ĮĮ/%23flag.txt
Sweet, we can see the files. Point of Interest is server.js. Well, so straightaway you may try something as
http://web.chal.csaw.io:7312/?path=ĮĮ/%23server.js
That didn’t worked xD. This is why analyzing behavior is important. Read few lines above and you will see that .txt is only allowed. Now, server.js is not .txt. Null-Bytes to the Rescue (not really ! )
The first thing in such scenario is to append %00
http://web.chal.csaw.io:7312/?path=ĮĮ/server.js%00.txt
Blocked ! Even though we have .txt null-byte fails miserably. So, is it the end of the road ? Nope. The solution is visible in the above URL itself.
Spoiler: Selectors (#)
I have used such bypasses before in real pentesting scenario and glad to find it in a CTF. So this should work right ?
http://web.chal.csaw.io:7312/?path=ĮĮ/server.js%23.txt
Blocked. What went wrong now ? The answer is that we are using two dots instead of one. Now, we can use the same Unicode Letter to Bypass it and that’s our final attack vector
http://web.chal.csaw.io:7312/?path=ĮĮ/serverĮjs%23.txt
Source Code (Snipped)
if (no_ext.indexOf(".") == -1 && path.indexOf("ï¼®") == -1 && path.indexOf("%") == -1 && ext == '.txt') { // something cool } else { res.writeHead(403); res.end("WHOA THATS BANNED!!!!"); }
Now, we can see how accurate Black-box analysis was. I wanted not only to show the solution/ writeup in boring way, but to explain the methodology behind it. Flags may fade away, but knowledge would never. Challenge would have been awesome if the flag name was random instead of flag.txt as that would force participants to think out of the box.
We Finished 8th Global and 4th in North America Undergraduate. Overall, the CTF was awesome.
Thanks to NYU for fun and pain for past two days. See you next in New York !
Thanks for the writeups. amazing work 🙂
I am following you for more write-ups 😀
LikeLike
You can actually just use double URL encoding for the first one! It’s very easy.
LikeLike
Yes, you can. But I wanted to disclose a different manner to solve the same problem.
LikeLike
There is another way to bypass the extension filter, you could use the character “?” or even %3F. 🙂
LikeLike
True, that works too 🙂
LikeLiked by 1 person
i can’t solve this problem at the compfetition but this was fun !
LikeLike
Good write-ups
LikeLike