Saturday, October 27, 2012

"Damo" Web Security Challenge I Writeup


I ran across some web-oriented security challenges, and thought I would take a quick break from the Stack the Smash writeups (more of which are coming soon) to create a writeup for these security challenges as they are solved. If you would like to try the challenges for yourself, you can find them here. Thanks to "damo" for setting these challenges up!

Security Challenge I

For this challenge, we are presented with a page containing the aim of the challenge (tl;dr find weakness, sign the Hall of Fame), along with the rules of the challenge. With this information, let's see what we can find. We can start by noticing that there is a '/admin' directory link in the bottom-right corner of the page. Access to this directory appears to be password protected, so we can guess that we likely want to find the password (or bypass this authentication) to gain access to the administrative pages.

Then, we can view the Hall of Fame page and we notice the URL looks like the following:

We can suppose that 'halloffame' is likely a page name, and the content of the file is likely being included in the 'index.php' page. We can immediately suspect an LFI/RFI vulnerability, which could allow us to access otherwise unavailable pages. After preliminary RFI testing failed, I decided that I would proceed by exploiting the LFI vulnerability.

The next step is to figure out which files to include so that we can obtain access to the administrative directory.  My first guess (which turned out to pay off) was that the directory was protected by .htaccess and .htpasswd files. So I first try to access the following URL:

Accessing this URL returns the following error message:

 Warning: include(admin/.htaccess.php) [function.include]: failed to open stream: No such file or directory in /www/ on line 22  
 Warning: include() [function.include]: Failed opening 'admin/.htaccess.php' for inclusion (include_path='.:/usr/lib/php') in /www/ on line 22  

We can see from this error message that '.php' is automatically appended to our filename, so we must end our filename with a NULL byte () to prevent the '.php' extension from being applied. We then try the following URL:

Accessing this URL results in the contents of the .htaccess file for the /admin directory to be displayed, which tells us the location of the .htpasswd file:

 AuthType Basic AuthName "Restricted Access!" AuthUserFile /www/ Require user damo  

This file tells us that the .htpasswd file is located in the '/hiddenfoldersch1' directory, which is within the web root. Therefore, we can use the same LFI vulnerability to access the contents of this file with the following URL:

After accessing the contents of this file, we are presented with the hashed credentials for the 'damo' user:


Let's throw this hash into John the Ripper using the popular 'rockyou.txt' wordlist and see what we can find.

We can see that within 3 seconds we were able to obtain the valid password corresponding to the hash, giving us the final credentials damo:explosion. We can then use these credentials to log in to the /admin directory and sign our name into the Hall of Fame.

This challenge was fairly basic, though before this I hadn't had too much experience with .htaccess and .htpasswd files. Again, a big thanks goes out to 'damo' for creating these challenges!

As always, if you have any questions or comments, let me know!

- Jordan

No comments:

Post a Comment