Back

TechnologySep 12, 2012

Stripe’s Capture the Flag 2.0 – Level 6

Michael Tarantino

This article is part 7 of a 10 series blog detailing the approaches and solutions to hacking through Stripe’s 2012 CTF 2.0. To continue from the parent article, or see more hacks, please click here.

This blog entry details the approach used by Michael Tarantino in attacking the Stripe CTF 2.0 Challenge Level 7.

***

Welcome to the Level 6 breakdown! Level 6 leverages an exploit from Level 4, so I am going to take a brief stroll down memory lane and give you the juice on Level 4 so we are all on the same page. Let’s get started.

Level 4 described a new social networking site that revolved around giving people karma credits. Karma Trader, as it was called, allowed users to share karma with each other, with a slight catch that, when User A transfers karma credits to User B, User B can then see User A’s password. The objective of the level was to get the password of a user named KarmaFountain, a user with unlimited karma credits to share. The attack that eventually yielded success was to inject a bit of Javascript as my password, then send karma to KarmaFountain. Once KarmaFountain logged in [which a bot was apparently doing about once a minute], the password would be rendered and, being malicious javascript, executed. The script automatically transferred karma back to me, revealing KarmaFountain’s password and allowing me to move to the next round. For additional detail on this attack see the Level 4 post.

Enough about Level 4, let’s bring it back to Level 6. The Level 6 description briefly laments the failure of Level 4’s security, then claims to have built a much more robust social networking site than the Karma Trader [this one called Streamer], complete with new and improved security. We could just take their word for it and give up, but where’s the fun in that?

The “clues” give at the end are, in summary: A user named level07-password-holder has the password, his computer only has network access directly to the Streamer servers, and his password includes quotes and apostrophes [sort of an odd clue, huh??]

Streamer essentially allows users to post messages to each other. These messages then appear billboard-style on the main page of the app. After clicking around the app a bit, we see there is a user info page that displayed our username and password in plain text [HUGE flaw, never do this]. Clearly this will be our target. Cross-Site Scripting is fairly familiar at this point, so I will spare everyone the details of walking through an XSS attack again [see the Level 4 post for a brief description, or the wiki article for much more available here]

Now that we’ve identified the type of attack, lets get down to business and start slinging some code. Analyzing the code, we see that our posts are sanitized in a very specific way in this level, more specifically that quotes and apostrophes are removed. This is going to make injecting any sort of robust javascript difficult, and will obfuscate the users password even if we can convince him to post it since we know it has these characters. However, like any job, having the proper tools makes all the different. Enter Uncle Jim’s CharCode Translator! This site [found here] allows you to enter strings and get their charCodes, which can be decoded by Javascript’s String.fromCharCode() method. This will easily slide us past the rudimentary character checking we see in the code at line 31. So, what exactly should we inject? Simple! Let’s force leve07-password-holder to post his password!

Below is the snippet you should place as your post that will then execute when level07-password-holder next views the page.

\b $.get(String.fromCharCode(117, 115, 101, 114, 95, 105, 110, 102, 111), function(data) { var td = data.split(String.fromCharCode(60, 116, 100, 62)); var td2 = td[2].split(String.fromCharCode(60, 47, 116, 100, 62)); $(String.fromCharCode(35, 99, 111, 110, 116, 101, 110, 116)).html(btoa(td2[0])); $(String.fromCharCode(35, 110, 101, 119, 95, 112, 111, 115, 116)).submit(); }); var username = String.fromCharCode(108, 101, 118, 101, 108, 48, 55, 45, 112, 97, 115, 115, 119, 111, 114, 100, 45, 104, 111, 108, 100, 101, 114); //

To quickly explain, this code will close the existing script tag in the code, then open a new script tag, and leverage the jQuery library already loaded on the page to make a very simple ajax request to “user-info”, then look for the password in the response. Then, the script creates a post containing that password [base64 encoded using Javascript’s btoa method. This post shows up in our stream just seconds later, and we’ve got our password! If you are having trouble understanding, try copying and pasting each of the String.fromCharCode calls into a Javascript console and executing them to see the text that is generated. This should hopefully clarify some things.

When you’re ready, go ahead and take that next step to Level 7. Great work!

***

These solutions are presented as a unique approach to a recent CTF hacking contest as an outreach of the Credera Security Team. All ‘hacking’ was performed in an ethical manner in accordance with Credera’s Core Values. For further information on Credera’s offerings in ethical hacking, security, compliance, and OWASP preparedness please contact us at securityteam@credera.com

Have a Question?

Please complete the Captcha