Google CTF — Web challenge — BNV Walkthrough
Solving the Google CTF challenge with just the Browser’s developer tools
Background:
BNV challenge from 2019 is the very first CTF challenge I had ever tried out after having a fair amount of experience in Information Security. This challenge was vital for me, as it was my first Hands-on experience.
After looking around to choose a CTF to start, the obvious choice for a naive guy would be to go with Google CTF, the CTF has concluded, but the challenge is still available for anybody to solve.
By default, the challenge is a redirect to Web-based challenges, and BNV was right in front of my face. I saw that the challenge had 76 solves during the event and highest in the whole web category of challenges.
I said to myself, “I have to do it. It seems kinda easy.”
I opened the BNV challenge page; there was a weird site for Blind association. The moment I saw the Braille script, I thought it could be a hint.
And it didn’t have any hint at all; it was just association name in Braille.
Then I opened my Firefox developer tools — inspect element and started going through the JS script for the submit button. I also sent a request and analyzed it using a Network analyzer in the developer tools.
It sent only one request each time I chose a location and clicked submit. An “HTTP-POST” request with wired numbers associated with each location I choose. This weird number is generated from the JS script in the browser, and it seems the number was static for a word. I thought the numbers are appended with a seed to keep the requests random. But, the numbers are just plain — Braille code (Ya, I know Braille again).
Okay, now I have a “JSON-HTTP-POST” to the webserver and the response fetches the data to display on the page. I thought that there would be a way to sneak in. I tried SQL injection to check if the Web application is Vulnerable to it, but I found nothing.
I found out from a online exploring on Web attacks; there are other methods to attack the JSON web application, XXE attacks on the JSON endpoint.
Some JSON Web applications can also parse XML requests; this makes such web applications vulnerable to XXE attacks.
Does the Web application parse XML requests?
First attempt: I have taken a previous JSON request and replaced the contents in the request with XML content and changed the content type in the header from application/json to application/xml.
The most important — Remove the content-length from the header, as it makes the browser calculate the new content length and send it with the content header.
Results of First Test: I got to know that there is an XML parser in the Web application that provides output directly to the browser. Moreover, the parser expects the XML request to contain a DTD.
What would be the acceptable format of XML request for the JSON endpoint?
Second Test: I have sent the XML file with a dummy DTD. The best part till now is that the error message of the parser is available to me through the response.
Result of Second Test: The Parser expects the root tag name to be declared the DTD.
Third Test: I changed the ‘foo’ in DTD to ‘message’. I didn’t try anything fishy as I knew that XML is case sensitive.
Result of Third Test: The Parser expects declaration of ‘message’ as an element in the DTD.
Fourth Test: I declared ‘message’ as an element rather than an entity.
Result: It works! XML request parsed without any error, and the response brought back the required info for the Browser to render the page.
Successfully I had created the perfect template for the XML parser to parse my requests. Now I can use XXE methods to extract the information stored in the Web application.
Does the Web application allow Entity expansion?
Next, what I really want to test would be whether Entity expansion is supported in the Web application requests.
I was waiting with my fingers crossed. After sending this request I get back the same response as in the 4th test case.
Cool! This means it supports the Entity expansion.
Can the Web application make requests to another website?
I used beeceptor to make a temporary endpoint on the internet to which the Web application can make a request.
From the response it is clear that the Web application may not be able to call any other endpoint over internet.
XXE File disclosure on Web application?
I have used multiple methods and XXE payloads to exfiltrate the data from the local files in the Web application.
Results shows that the file disclosure is not possible through conventional methods.
Can I use the error messages of the parser to throw the contents of a file ?
First, I tried to perform file inclusion and file disclosure of a file, which is non-existent (/etc/passwd is present; /etc/psswd will not be present).
The Parser is throwing up and error doesn’t talk about the file is existence but the error, we see in case of non-existent, is completely different from the previous error.
A way to exfiltrate the data
The key to disclose files in Web application, is through defining the contents of a target file to a XML variable and passing the variable as a file path to be imported. This will force the parser to throw and error exposing the file path (which has also target file contents).
This can be done using a variable declared in local DTD file of the web application as the option to import DTD file from internet is blocked due to restriction on outbound traffic by the Web application.
These sites clearly show how to build an error based Local DTD XML payload.
I made a payload:
If one observes the request, lines 17 and 18 are faulty and I thought this might throw up an error corresponding to syntax error. But, the result response error wasn’t about the syntax. The result was a successful error and local DTD based file disclosure.
In line 1, after “file:///abcxyz/” rest of the data is file contents of “/etc/passwd”.
I tried accessing “/CTF” file using this method. It was a blind shot.
What happened in the end, it just worked, I got the contents of the file pertaining to the CTF flag.
Other articles: walkthough-for-bootup-ctf
I would really appreciate your feedback and support on the content, please let me know it by sharing or commenting or clapping.
