The last time we organized CTF based on web application vulnerability i.e SSRF / XSPA. For those who are new to SSRF, please go through this slide http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities.

Just for the record next G4H Ranchoddas Webcast on Mobile Application and registration is open.

You can find CTF source code here: https://github.com/sandeepl337/Garage4hackers-March-2015-CTF-SSRF-XSPA .

On the CTF server we are running Internal application on port 80 and external application. The mission of the CTF was finding flag from the PHP file. The vulnerable external application is used to extract the title of any website.

Following Write up from Hai Au Huynh:

—— START ——

Firstable, put into url parameter “foobar”, we got “Caught exception: _(asfsafindex.php): failed to open stream: No such file or directory”=> the application parse our input as file and reading it.

So, it’s clear that next step we need to read the source code of application, we put into url parameter “index.php” and get the index.php source code.

The code is going to do something like this:

include(‘include/ extractTitleLogic.php’);

Get the contents of url parameter input, if it has tittle tag, print out the title, if not print out the contents of input With the include/extractTitleLogic.php disclosure, we try to read the contents of include/extractTitleLogic.php but it contains the title tag, so we cannot read it. But fortunately, the include/index.php does

not, so we can read it out.

In source code of include/index.php, we get “// “The feeling that conversations and any data (whiteboard included)

are encrypted without having to mess around with complicated options and setup is a massive plus. It’s very very easy to use.” –

zorgalicious

// // You Found key! w00t!!

// Decrypt Blowfish following code and send CTF Flag to following email

// 49FE06DB9909C6FC6AE11D44F12CD3 9F659690A388F660A13709CDFA7F06 A0E9343E9058EADB9A4CE9AE4F2BC2 585768″

The first quote seems very make sense, so we try to search for it, and it leads to this

http://www.bitwiseim.com/ features.php?f=Encryption& Presentation=Mac.

So at this time, it’s very clearly that we can decrypt the Blowfish message at that site, and get the flag: Garage4Hacker Private Key:

0x33331337



—— END ——

We Provide Penetration Testing