ctf, HB 2015, Uncategorized, Web Attacks

The HackBattle this year was themed ROTT (“Rampage of the trolls”) The infrastructure is courtesy of Azanuru Technologies. It was announced on various platforms on social media for people to participate in over a period of 4 weeks. This was testing key skills including The main aim was to help people understand how to develop a mindset against an adversary that is just as capable and is “excessively easy” to attack. In all seriousness this is the easiest Hackbattle 😀

Hacking Begin

Hacking Begin (May the force be with you)

The main trick though was figuring out that this was part of the hacking team story that made headlines this year. This was the key thing to identify in order to come up with a proper threat model.

So on to the challenge.

Finding Information

Welcome Oh Yee Visitor, haveth yee eyes?

Landing on the site there is quite a wealth of information. Like the fact that the content is copied. from checking this content copied we get an idea of the scenario we are using so we look under the hood and see another IP listening “Scope increased“.  We also notice that this IP is offensive running BeEF on the default URL meaning most probably credentials are on default :

username: beef

password: beef

Also seeing where content was copied from and how Pozzi was 0wned we get an idea that we could use this to trap the “hacker” on the other end using browser attacks and a tool has just been handed to us for free  to do it. Let’s put this in our card box.

Plagerised Content

Copied Content

Trapdoor Or Opportunity?

Trapdoor Or Opportunity?

Beef Default Authentication

BeEF em Please

BeEF em Please

Well as tradition has it we get to see the robots.txt too.

Lesson 1: “I shall open my eyes , I shall not fail to view anything, I shall be OBSERVANT”

What’s in an engine ?

If you are a curious mind and love to see what people have it would be good to note that they render it differently. In this case chrome (Blink|Webkit) is idiot proof as it checks mime before rendering regardless of extension, Firefox (Gecko) well let’s just say it loves extensions while. Now trident engine well, let’s not go there.

Gecko Vs Webkit Intelligence

Gecko Vs Blink(Webkit) Intelligence

It’s not just about the literal versus contextual browsers , notice the folders these tell us that there are hidden folders if at all, attack number 2 directory fuzzing find the pots of gold. Card 2 in hand.

Lesson 2: “Thou shall learn to understand different browser engines”

Thou shalt remember Lesson 1 (Hint 1)

Hints were given to make work easy and 2 major ones came through that people didn’t notice. A day after HB was released the first hint came in. A tool that actually did not break the bounds of the protection set on the server now that we have identified that :

  • We are dealing with tech savvy people – They have a hooking instance running , they know some of their stuff.
  • Tech savvy people make mistakes “Hack the Hackers” -Default Configuration on the hooks.
Hint 1 - Fuzzing tool given based on lesson 2

Hint 1 – Fuzzing tool given based on lesson 2

Bursting Doors

So for those who missed the give-web-head. Dirbuster would probably be the way to go based on what you saw in robots.txt. But again these are tech savvy people , so what’s the catch? . On it’s default it seems that it doesn’t get far. So lets make it human by changing the user agent to seem like a legit browser or something else and reduce the threads to 1 just like a regular user.

Dirbuster on default scan settings

Dirbuster on default scan settings

Change dirbuster User Agent to make it less identifiable

Change dirbuster User Agent to make it less identifiable


Reduce Threads Dirbuster

Reduce Threads Dirbuster

Make Dirbuster Human on 1 thread

Make Dirbuster Human on 1 thread

Notice the number of 403’s is annoying well, another fuzzing gotcha now this is why hint 1 was awesome you can modify it not to view 403’s to avoid the information overload otherwise this works if you just focus on the 200’s and redirects only too , again no true marking scheme for this but then **drumroll**, lesson below:

Modify Script to ignore 403's

Modify Script to ignore 403’s

Lesson 3: “Thou Shall be patient in Fuzzing”

The web loves getting HEAD

For those who don’t burst doors but love giving the web head. well need more be said this is easier by far.

Using Give Web Head

Using Give Web Head

Give Web head results

Give Web head results

In the Next Article we look at how to use this information even better to take this baby home.

Leave a Reply

Your email address will not be published. Required fields are marked *

February 2024