Writeup CTF 0x00sec Web - Exercise #4
Another day, another ctf challenge. This time no. 4 of the web exercises
Like always we take a look at the page source first. Because after 3 challenges, we know that we most likely get a hint from there.
And yet again, we have a hint. This time it is:
<!-- TODO: --> <!-- * Restrict debug log access-->
We now know, that we have somewhere an accessible log file. But how to find it?
There are multiple ways of finding some files. One easy way would be to spin up gobuster and see if we get any results. I did it in the background while manually testing.
If you’re lucky you can also just guess the file name. I’ve tried
log.txt and some other variations. But found nothing.
However, I also checked
robots.txt. As it is present in most websites and can have some information leakage. The robots.txt handles what files and folders should be indexed or not indexed by search machine bots.
Which is kind of funny, because you are explicitly putting sensitive information in there. Like hey, we have a secret file or endpoint which should not be shown in google. But then it is in your
robots.txt to prevent google from indexing it.
Well, we have luck because there is a robots.txt
And gobuster also returns us this result:
If we access the log, we see it’s content.
There are several entries that are looking like this one.
Timestamp: 1584680782 Host: exercise-4.0x00sec.dev Connection: close X-Real-Ip: 18.104.22.168 X-Forwarded-For: 22.214.171.124 X-Forwarded-Proto: https X-Forwarded-Ssl: on X-Forwarded-Port: 443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Accept: */* Cookie: PHPSESSID=4a95c7eedff98581d964f7a8f74da9e5
We can assume that the entries will get appended in chronological order.
You can also checkout the timestamps and convert them with for example unixtimestamp.com to be sure.
Depending on when you make this challenge the debug log can be quite big. And sometimes the browser can have problems displaying it.
We can download it with
wget and show it’s content with
wget https://exercise-4.0x00sec.dev/debug.log less +G debug.log.html
+G will scroll to the bottom of the file.
+ for immediately invoke a command and
G to scroll to the end of the file.
From here it should be relatively easy, because the debug.log contains the PHP Session Cookie. We can try a Session Hijacking Attack.
To perform this attack, we need to latest cookie. Thats why we scrolled to the end of the file.
We just copy the
PHPSESSID value, open chrome devtools and replace our
PHPSESSID value with the one from the debug.log.
After we refresh the page we should be logged in and see the flag.
This is a very cool exercise and a serious vulnerability. In the end of last year, someone was able to hijack the session of a hackerone employee and gained access to all private programs and bug reports.