One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8300179 |
| Date de publication | 2022-06-17 20:19:18 (vue: 2023-01-11 16:56:04) |
| Titre | BSidesSF 2022 Writeups: Apache Challenges (mod_ctfauth, refresh) |
| Texte | Hey folks, This is my (Ron's / iagox86's) author writeups for the BSides San Francisco 2022 CTF. You can get the full source code for everything on github. Most have either a Dockerfile or instructions on how to run locally. Enjoy! Here are the four BSidesSF CTF blogs: shurdles1/2/3, loadit1/2/3, polyglot, and not-for-taking mod_ctfauth, refreshing turtle, guessme loca, reallyprettymundane Refreshing - Reverse proxy mischief The Refreshing challenge implements a reverse proxy that checks the query string for mischief, and attaches a header if it's bad. If the PHP application with a blatant vulnerability sees that header, it prints an error and does not render. This was actually based entirely on CVE-2022-1388 (the name "Refreshing" is a nod to F5) - you can see my Rapid7 writeup on AttackerKB. This was absolutely new to me when I worked on that vuln: the Connection HTTP header can remove headers when proxying. That means if you set Connection: Xyz while proxying through Apache, it will remove the header Xyz when forwarding. This worked out of the box on Apache! I initially tried Nginx, and it did not work there - not sure why, maybe they don't implement that header the same? Anyway, to solve this, all you have to do is set the header Connection: X-Security-Danger on the request, then take advantage of the path traversal on the PHP site: $ curl -H 'Connection: X-Security-Danger' 'http://refreshing-d7c0f337.challenges.bsidessf.net/index.php?file=../../../../../../../flag.txt' CTF{press_f5_to_continue} mod_ctfauth - A custom Apache authentication module mod_ctfauth is a fairly simple Apache authentication plugin. It checks a username and token, then decides whether to grant access. I wrote it at the very last minute, because at work I was reverse engineering some Apache plugins and thought it'd be a good excuse to learn. And it worked! I've been re-using the container to test out more Apache stuff this week! The source for the challenge is here. As you can see, it's really pretty straight forward - you can expect something more interesting next year, now that I know how these plugins work! The bulk of the challenge is the following code (I removed a bunch of extra checks to shorten it down): char *username = (char*)apr_table_get(r->headers_in, USERNAME_HEADER); if(strcmp(username, "ctf")) { return AUTHZ_DENIED; } char* header = (char*)apr_table_get( r->headers_in, HEADER); char *encoded_token = header + strlen(TOKEN_PREFIX); int actual_length = apr_base64_decode(decoded_token, encoded_token); [...] apr_md5_ctx_t md5; apr_md5_init(&md5); apr_md5_update(&md5, SECRET, strlen(SECRET)); apr_md5_update(&md5, username, strlen(username)); apr_md5_update(&md5, SECRET, strlen(SECRET)); char buffer[HASH_LENGTH]; apr_md5_final(buffer, &md5); if(memcmp(buffe |
| Envoyé | Oui |
| Condensat | 'connection: 'http://refreshing &md5 *encoded *username /flag 1388 2022 >headers absolutely access actual actually advantage all and anyway apache aplog application apr are attaches attackerkb authentication author authz bad base64 based basically because been blatant blogs: box bsides bsidessf buffer bulk bunch calculate can challenge challenges change char char* checks code connection connection: container continue ctf ctf: ctfauth ctx curl custom cve d7c0f337 danger danger' decides decode decoded denied; did dockerfile does doesn doesn't don down easy either encoded engineering enjoy entirely error everything excuse expect extra fairly file= final folks following for forward forwarding four francisco free full get github good grant guessme hash have header headers here hey how http iagox86 implement implements init initially instructions int interesting know last learn length loadit1/2/3 loca locally log mark match maybe md5 md5; means memcmp minute mischief mod module more most name net/index new next nginx nod not now out path php plugin plugins polyglot prefix press pretty prints proxy proxying query quite rapid7 really reallyprettymundane refresh refreshing remove removed render request requires rerror return reverse ron run same san secret security see sees send set shorten shurdles1/2/3 simple site: solve some something source straight strcmp string strlen stuff sure table take taking test that the then there these they this thought through token traversal tried turtle txt' update username using very vuln: vulnerability warning was week when whether which while why will with work worked writeup writeups writeups: wrote xyz year you |
| Tags | Vulnerability |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.