Sunday, February 2, 2020

SANS Holiday Hack 2019 - Objective 9 : Retrieve Scraps of Paper

Objective 9:  Retrieve Scraps of Paper


After winning the Freido Sleigh Contest for Krampus; he gives permission to hack his server.  He scanned the scraps of paper, but forgot his login creds.  So our job is to retrieve the scraps of paper.  This is the site that we’re targeting.  https://studentportal.elfu.org/.  Pepper Minstix gives the hints for this challenge.  She is in the dorm.  You should have completed the last Objective, so simply take the Steam Tunnels to the Dorm for the hints.  Here are the hint links:  https://www.owasp.org/index.php/SQL_Injection and https://pen-testing.sans.org/blog/2017/10/13/sqlmap-tamper-scripts-for-the-win








First, get an idea of how the site works.  It helps to use the site normally and see what happens. While you’re reviewing the site, look at how it functions in your browser's developer tools and set up a proxy like Burp to intercept the traffic and look at it. Are there any ways you can exploit it?  Pepper Minstix mentions SQLi, so maybe that's a good place to start.

Web Application Components

Full disclosure:  I don't completely understand how the following php programs work, but I knew enough about them to be able to exploit them.  Examples:  The parameters to test, how they are submitted (POST or GET request), and that a token preventing csrf is in use.

apply.php
Area for student to submit an application to ElfU.
Contains a hidden form element “token” preventing csrf - also prevents SQL Injection with SQLMap
POST request
parameters: name, elfmail, program, whyme, essay, token, status


received-application.php
Displayed after a student application is filed on apply.php.
Displays whether or not an application was received. (status)
Also displays an error if a field from apply.php is vulnerable to sqli.
This one has a hidden token to prevent csrf -
also prevents SQL Injection with SQLMap
POST request
parameters: name, elfmail, program, whyme, essay, token, status


check.php
Checks the status of an application using the e-mail used for the application. 
Contains a hidden form element to prevent csrf -
also prevents SQL Injection with SQLMap
POST request
parameters elfmail, token


check-application.php 
Displays the status of an application using the e-mail used for the application.   
Contains a hidden form element to prevent csrf - also prevents SQL Injection with SQLMap
GET request  
parameters elfmail, token

validator.php 
All it does is send back a token in the response.  The token in the request is then replaced with this token before processing the request. 
GET request

How do we find where the web application is vulnerable to SQLi?  Try putting a ‘ in each field on the a Student application page.  Once you submit the application in apply.php, it changes the token contained in the html of the apply page in validator.php script.  Then it sends the request and the new token to received-application.  The received-application.php script validates that everything is added to the database appropriately, and displays if the application was processed.  It inserts the values that were sent to apply.php into the database.  If the syntax was invalid, like when we added ’s to the fields, it will display an error that gives away the database structure.  Even if the fields are vulnerable, not all SQLi vulnerabilities are exploitable.  It depends on how the application is structured.  From this error, we learn that the table name is applications, and the fields are name, elfmail, program, phone, whyme, essay, and status.  From trial and error, you will find that pretty much every field is vulnerable, but how is it exploited?



We could manually test for SQL injection, but it can take a very long time to test every form of SQL injection.  Especially if the injection is like Peppermint says - a blind SQLi.  

There’s a Linux cli tool that's called SQLMap that can be very useful for testing for SQL injections.  Unfortunately, that token keeps us from testing because it keeps returning invalid or expired token when we test any of the pages.  

SQLMap has a --csrf flag that reads the hidden token from the html in each page of the website, but even that doesn’t work because this application doesn’t use the straight token.  It processes it with the validator.php script.  A workaround is to create a custom tamper script that grabs the token, sends it to validator.php, grabs the new token from the response from validator.php, replaces the original token in the request, and forwards the request to the rest of the application.  

Another method is to configure Burp to grab the token, send it to validator, send the new token with the request, and proxy the traffic through Burp.  I took the Practical Burp Advanced Tactics training at DerbyCon.  Here's the link to the training:  https://www.lanmaster53.com/training/#pbat.  That course has this technique as well as other less-known techniques.  I remembered that I could replace the token from this training, but not exactly how.  A colleague sent me this link:  https:// www.gracefulsecurity.com/burp-suite-vs-csrf-tokens/.  From that link, I found this:  https://www.gracefulsecurity.com/ burp-suite-vs-csrf-tokens-round-two/.  However, I chose to create a macro instead of writing an extension.  I'm not noting how to configure Burp in this section.  There are plenty of tutorials for that.  I may post how to my blog later on.

Set up Burp and configure your browser to use it as a proxy  We’ve found that the apply.php part of the site might have sql injection potential, but it may not be as easy to exploit as others areas in the site may be.  This is very important.  Browse and peruse as much of the site as you can before this next part.  Test the other areas of the site for injections.  

Unfortunately, as i said, the token gets in the way.  So, I'll show you how to configure Burp to handle the csrf token.  First, click on the "Project Options" tab.  Then Click on the "Sessions" tab.  Under the "Session Handling Rules", Click on Add.  I already have the rule added as CSRF.  I'll click Edit to show you how I created it.



You should see a "Session Handling Rule Editor", you'll see that mine is already populated.  Yours will be blank.  Type in a Rule Description like "CSRF Bypass".  Next, click on the Add button under "Rule Actions".  You'll see another popup titled "Section Handling Action Editor - <whatever description you chose>"  Under "Select Macro", Click Add.  This will allow us to create a macro that will be used to tell Burp how to handle the csrf token.



You'll see a popup titled "Macro Recorder".  In your traffic, choose the request https://studentportal.elfu.org/validator.php.  Click on the Response tab.  Click Ok



You’ll see a a popup titled "Macro Editor".  Give the Macro description like CSRF Bypass.  Click on "Configure Item".  You’ll see another popup titled "Configure Macro Item".  Under “Custom parameter locations in response", click the Add button on the right hand side.


You’ll see a a popup titled "Define Custom Parameter".  Type the word "token" in the parameter name.  Define "Start after expression" as  \r\n\r\n and "end at delimiter" as $.  Click on OK  Click OK again.  Click OK Again.  You should be back to the "Session Handling Action Editor" page.  Check the “Update only the following parameters” radio button and type in "token" in the text box like pictured below.  Click OK.



You should now be back to the "Session Handing Rule Editor".  Click on the Scope tag.  For less trouble later, make absolutely certain that Repeater, Intruder, Target and Proxy are checked in the Tools Scope.  Under URL Scope, check the "Use custom scope radio button", and click the Add button.  Add https://studentportal.elfu.org to the include in scope list.  Click OK.  You should now see the new rule in the "Section Handling Rules List".


Test the new session handling rule to see if it works.  Choose one of the requests to a page in the studentportal.elfu.org page that you’d like to test in either the Target>Site Map tags or Proxy>HTTP History tabs.  Just a tip, the newer requests are easier to find in the Proxy>HTTP History tabs.  Sometimes the newer ones are necessary because sessions time out.  Right-Click on the request and send it to Repeater.  Make the token empty like pictured below  Click Go.


The request you just sent will show a token.  Check the response.  Note that the response shows that the injection attempt was successful.  You'll see a syntax error with this request because it's invalid syntax.  Before we created a Session Handling Rule, it would have shown an invalid or expired token message.



Now we have to set up SQLMap.  Thankfully it’s a lot easier.  In this case, it's just a command  The --proxy=http://127.0.0.1:8080 tells it to use Burp as a proxy.  After trial and error, running the following command and only changing up the pages I was testing and the parameters, the application-check.php page ended up being vulnerable to blind sql injection  Keep in mind, the token value in this command doesn't matter because Burp reconfigures it anyway using the Session Handling Rule we made.

sqlmap --proxy=http://127.0.0.1:8080 -u “https://studentportal.elfu.org/application-check.php? elfmail=thegreatandpowerfulelmo@youwillfear.me&token=bygollyIgotit" -p elfmail --dbs

 

Now we dump all the things, right?  No. Blind SQL Injection takes a while and if we dump too much, we might be noticed.  You don't always want to be noticed in an engagement.  Also, if you dump a lot of information, you're responsible for that information.  For example, say you dump 50000 credit card numbers - now certain laws protecting that information might apply to you.  As a pen tester, you don't want to have that kind of responsibility because it adds risk.  If it gets out that you dumped an entire database, does that show you as being trustworthy?  Not so much.

Showing the database names  shows two databases.  Out of the two, we should probably poke around elfu.  



I asked it to enumerate the tables in the elfu database. 

sqlmap --proxy=http://127.0.0.1:8080 -u “https://studentportal.elfu.org/application-check.php? elfmail=thegreatandpowerfulelmo@youwillfear.me&token=bygollyIgotit" -p elfmail -D elfu --tables.  



One table is krampus.  Gut says I should look there.  

sqlmap —proxy=http://
127.0.0.1:8080 -u “https://studentportal.elfu.org/application-check.php?elfmail=thegreatandpowerfulelmo@youwillfear.me&token=bygollyIgotit" -p elfmail -D elfu -T krampus --dump



Navigating to studentportal.elfu.org, with each krampus path in the last page reveals a scrap of paper.

You can use image editing software to put the scraps together, but we just went analog, ie,   printed them out, cut them, and taped them back together.  My daughter had a grand time helping.  The answer for this objective is Sled-O-Matic.

No comments:

Post a Comment