Back

TechnologySep 18, 2012

Stripe’s Capture the Flag 2.0 – Level 2

Josh Hamit

This article is part 3 of a 10 series blog detailing the approaches and solutions to hacking through Stripe’s 2012 CTF 2.0. To continue from the parent article, or see more hacks, please click here.

This blog entry details the approach used by Josh Hamit in attacking the Stripe CTF 2.0 Challenge Level 2.

***

Level 2 claimed to be the next Facebook. It was social networking made simple. To register, all you had to do was upload a picture. “Special” members would also recieve access to the Level 3 password as an extra enticement.

“OK, I’ll bite,” I thought, so I uploaded an image. It took me to a page displaying the uploaded image as well as a link to the password. Despite what my mom used to always remind me, I wasn’t considered “special” and there were no instructions on how to become “special”.

I tried clicking the password link anyways. “403 Forbidden”, read the response. Well, I wasn’t about to waste time reading a file chmodded unreadable.

Still, I could inspect the link to find out where the file lived on the server. Hmmm… so how could I get the password.txt file without being “special”?

Let’s peek at the source code around the only input we have so far, the upload form.

This upload form:

<form action="" method="post" enctype="multipart/form-data"> <input type="file" name="dispic" size="40" /> <input type="submit" value="Upload!" /></form>

Posts to this PHP function:

$dest_dir = "uploads/";$dest = $dest_dir . basename($_FILES["dispic"]["name"]);$src = $_FILES["dispic"]["tmp_name"];if (move_uploaded_file($src, $dest)) { $_SESSION["dispic_url"] = $dest; chmod($dest, 0644); echo "Successfully uploaded your display picture.";}

Wow, there’s no input validation! That almost always results in vulnerabilities, in this case unrestricted file upload, a type of local file inclusion attack.

From here, it was all downhill. We’d write a php script that would print the contents of password file.

So we wrote the one-liner below:

<?php echo file_get_contents('../password.txt'); ?>

After uploading it, I right-clicked the broken image Google Chrome displays for bad “<img>” tags so that I could select “Open Image in New Tab” from the context menu. Only instead of navigating to an image, I was taken to our script which executed and coughed up the password.

Onward and upward to Level 3!

***

These solutions are presented as a unique approach to a recent CTF hacking contest as an outreach of the Credera Security Team. All ‘hacking’ was performed in an ethical manner in accordance with Credera’s Core Values. For further information on Credera’s offerings in ethical hacking, security, compliance, and OWASP preparedness please contact us at securityteam@credera.com