Writeup: 0x00sec CTF - Exercise #4

Writeup CTF 0x00sec Web - Exercise #4

Another day, another ctf challenge. This time no. 4 of the web exercises

The Challenge

Like always we take a look at the page source first. Because after 3 challenges, we know that we most likely get a hint from there.

And yet again, we have a hint. This time it is:

<!-- TODO: -->
<!-- * Restrict debug log access-->

We now know, that we have somewhere an accessible log file. But how to find it?

The Attack

There are multiple ways of finding some files. One easy way would be to spin up gobuster and see if we get any results. I did it in the background while manually testing.

If you’re lucky you can also just guess the file name. I’ve tried debug.txt, log.txt and some other variations. But found nothing.

However, I also checked robots.txt. As it is present in most websites and can have some information leakage. The robots.txt handles what files and folders should be indexed or not indexed by search machine bots.

Which is kind of funny, because you are explicitly putting sensitive information in there. Like hey, we have a secret file or endpoint which should not be shown in google. But then it is in your robots.txt to prevent google from indexing it.

Well, we have luck because there is a robots.txt

robots

And gobuster also returns us this result:

gobuster

If we access the log, we see it’s content.

There are several entries that are looking like this one.

Timestamp: 1584680782
Host: exercise-4.0x00sec.dev
Connection: close
X-Real-Ip: 138.197.209.37
X-Forwarded-For: 138.197.209.37
X-Forwarded-Proto: https
X-Forwarded-Ssl: on
X-Forwarded-Port: 443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Accept: */*
Cookie: PHPSESSID=4a95c7eedff98581d964f7a8f74da9e5

We can assume that the entries will get appended in chronological order.
You can also checkout the timestamps and convert them with for example unixtimestamp.com to be sure.

Depending on when you make this challenge the debug log can be quite big. And sometimes the browser can have problems displaying it.

We can download it with wget and show it’s content with less.

wget https://exercise-4.0x00sec.dev/debug.log

less +G debug.log.html

The +G will scroll to the bottom of the file. + for immediately invoke a command and G to scroll to the end of the file.

From here it should be relatively easy, because the debug.log contains the PHP Session Cookie. We can try a Session Hijacking Attack.

To perform this attack, we need to latest cookie. Thats why we scrolled to the end of the file.

We just copy the PHPSESSID value, open chrome devtools and replace our PHPSESSID value with the one from the debug.log.

After we refresh the page we should be logged in and see the flag.

Conclusion

This is a very cool exercise and a serious vulnerability. In the end of last year, someone was able to hijack the session of a hackerone employee and gained access to all private programs and bug reports.

https://hackerone.com/reports/745324

4 Likes

Nice one! I love that image you add with the pink “CTF” at the bottom :smile:

2 Likes

Awesome writeup, I must say I really like the custom banner you put together! Do you have a source file we can update the main site with? Looks dope!

PS:

I never knew this trick! Thanks!

1 Like

Haha thanks. Sadly I don’t have the source file anymore. I just grabbed the 0x00sec logo and added the CTF which is this font: https://www.dafont.com/painted.font

2 Likes

Updated!!

ctf.0x00sec.org :smiley:

2 Likes

Thanks for linking that report at the end! See how a stolen cookie was used to access a whole SSO session really highlights the impact of this vulnerability.

1 Like