English [9447 CTF 2015] [Web 200 – nicklesndimes] Write Up

Description

Nick’s been eating your grandmother’s strombomi.
Head over to http://nicklesndimes-wq3mhu8l.9447.plumbing.
Gain access to his admin account.

Resolution

We began to check on the Github for the Mellivora CTF engine used by 9447 for security fixes.
https://github.com/Nakiami/mellivora
Moving between commits, fixes etc. but nothing interesting.

Hours later, we decided to reset our account, just for testing purpose.

This is the mail we received:

Password recovery for account PERTE 
From: No Reply <blackhole@9447.plumbing>
Subject: Password recovery for account PERTE
PERTE, please follow the link below to reset your password:
http://nicklesndimes-wq3mhu8l.9447.plumbing/reset_password?action=choose_password&auth_key=f8ff22e00040028a777e04d926645f42&id=199
Regards, Nick Les' Dimes

As you can see, the auth key is a simple md5.
In the real code, a sha256 hash is generated:

$auth_key = hash('sha256', generate_random_string(128));

Source: https://github.com/Nakiami/mellivora/blob/master/htdocs/actions/reset_password.php#L49

We checked on Google for “f8ff22e00040028a777e04d926645f42“, and we found the plain text was “PERTE“, our test team name 🙂

Next step was to find the email of the admin, but we already had an email of him no?
Remember … “From: No Reply <blackhole@9447.plumbing>” 😉

Entering his email into the reset password page (http://nicklesndimes-wq3mhu8l.9447.plumbing/reset_password) gave us :
reset_pwd

A reset_password has been issued in the DB (as seen : https://github.com/Nakiami/mellivora/blob/master/htdocs/actions/reset_password.php#L51)
It’s time to change the password : the auth_key will be the team name (admin), and the id will be 1.

auth_key                          plain md5   id
21232f297a57a5a743894a0e4a801fc3  admin       1

The link has to be :
http://nicklesndimes-wq3mhu8l.9447.plumbing/reset_password?action=choose_password&auth_key=21232f297a57a5a743894a0e4a801fc3&id=1
Yeah, it was OK ! We changed the password ! 😀
change_passwd

But when we tried… It was wrong 🙁
Probably another team reseted it at the same time. No worries!
wrong_passwd

Reseting the password again, we got the following message (WTF is whitelist ?)
IP_not_allowed

The only thing we can do for “changing” to an allowed IP is to use the X-Forwarded-For header.
Ok, but the IP ? How to find it?
With a DNS request! 🙂

9447.plumbing: 104.28.13.28, 104.28.12.28

proxy

We tried to relog again, and we got the flag! 😉

flag

Flag was : 9447{Bqt2xYjgOkKV91cvX1kd89DN2o0Q4BkK}.

2 thoughts on “[9447 CTF 2015] [Web 200 – nicklesndimes] Write Up”

  1. hum. for me the X-Forwarded-For header wasn’t working, had to add the IP to the whitelist.

    I found the following code in a .js that was included in the html (http://nicklesndimes-wq3mhu8l.9447.plumbing/js/mellivora.js):

    function whitelist_ip(i,t){
      $.post("admin/actions/new_ip_whitelist",{action:"new",user_id:i,ip:t})
    }
    

    It was possible to execute whitelist_ip( 1, YOUR_IP ); from the developer console when logged in with a regular user, then log out / login with admin => works!.

    1. I tried to add my own IP with a XHR request from this JS like you said but was KO for me.
      That’s why I finally used this header. 🙂
      Maybe someone has later added the IP for 9447.plumbing and I used it!
      Thanks for the reply, good to see our ideas are never useless 😀

Leave a Reply

Your email address will not be published. Required fields are marked *