Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Schoolproject Hacking Challenge


Awaces's Avatar
Member
0 0

I'm a 22 year old student who lives in belgium and i'm educating cybercrime.

For a schoolproject we are divided in groups of 3-4 persons. We all got a small space on a server where we can set up a platform.

The goal is to secure your platform and hack the other groups.

So far so good i've got 1 group in my scope where I might be able to get through.

It's a guestbook with a firewall behind it.

Here is a small list of what's blocked by the firewall :

  • onerror, onload, onunload, onabort, onclick, onmousover, onmouseout, onkeydown, onchange, …
  • < script>
  • on' & 'load
  • on' ++ 'error
  • data:text/html
  • ….

There are some possible leaks i've found to get through :

  • I'm unable to use the &lt;img src=&quot;&quot;&gt; but &lt;img id = &quot;x&quot; src=&quot;&quot;&gt; works and bypasses the firewall here.

  • I'm also able to post a simple video that runs from the moment I open the page, maybe this will be the thing i'll have to focus on. * i'm able to use tis : <video autoplay><source id="x" src="myvideo.vid"></video>

  • I'm able to use the <a href … > tag and let it execute javascript but it needs an action to be executed. * <a id="bb" href="javaSCRIPT&colon;alert(1)">clicks</a> This works, but I have to click on the button before it executes.

It would be nice if I could implement my <a … > code into the <video> or <img> tag.

Anyone has an idea ?

Thx in advance


Huitzilopochtli's Avatar
....
10 9

A guestbook is a pretty limited attack vector man, unless you find an RFI or LFI, you're probably only gonna be able to steal cookies at best.

Best find out what else they are running on their 'space', port scan them and look at what services they have running, find out if they have WordPress or Joomla etc installed and check for known published vulnerabilities for that version.

Xss is pretty limited to defacement, unless you can chain it with other things like csrf's and the like, but maybe an xss is enough to satisfy the conditions of whatever it is you're supposed to be doing.

Give us more details.


rex_mundi's Avatar
☆ Lucifer ☆
3,050 12

It's more likely a filter than a firewall, try encoding the things that are black listed, and see if any make it through.


Awaces's Avatar
Member
0 0

rex_mundi wrote: It's more likely a filter than a firewall, try encoding the things that are black listed, and see if any make it through. Huitzilopochtli wrote: A guestbook is a pretty limited attack vector man, unless you find an RFI or LFI, you're probably only gonna be able to steal cookies at best.

Best find out what else they are running on their 'space', port scan them and look at what services they have running, find out if they have WordPress or Joomla etc installed and check for known published vulnerabilities for that version.

Xss is pretty limited to defacement, unless you can chain it with other things like csrf's and the like, but maybe an xss is enough to satisfy the conditions of whatever it is you're supposed to be doing.

Give us more details.

The only thing he's running is he's firewall.. Just because he wants to find all vulnerabilities in hes program and fix it through this way.

This is the firewall we're talking about : https://www.aqtronix.com/?PageID=99

and these are 2 posibilities how people went in before : <video controls> <source on' ++ 'error="window.location.href=''dat' ++ 'a:text' ++ '/html, <htm' ++ 'l><h2>Bypassed by Dieter AGAIN?!</h2></ht' ++ 'ml></htm' ++ 'l>''"> </video>

<body on' & 'load="window.location.href=''data:text/html, <html><h2>Bypassed by Dieter</h2></html></html>''" />' & '

I thought using on &apostrof; &plus; &apostrof; error could work but it seems like it doesn't do the same like on' + 'error


rex_mundi's Avatar
☆ Lucifer ☆
3,050 12

Looks like you need to break up the filtered words with '++', in order to bypass the blacklists rules, and chain the resulting filtered injection back together at the end, and it'll run.

And he can't ONLY be running a firewall and guestbook, there's obviously a web server and an operating system you can attack.

http://www.securityweek.com/web-application-firewalls-tested-against-xss-attacks

You seem to be concentrating on trying to exploit a downloadable firewall, and I don't really get how that fits into an attack/defence of a 'space' scenario, as really the only lesson to be learned there, is that someone on the other team made a bad choice of picking a free firewall.


Awaces's Avatar
Member
0 0

Since somebody already got in through concatting with ++ thats also disabled for use. The owner of the group is my lector and the maker of the firewall. By this way he wants to make hes firewall more secure.


Huitzilopochtli's Avatar
....
10 9

lol no need for a bug bounty program, when you can have your students pentest your work under the guise of learning for free.

Smoothe.


Awaces's Avatar
Member
0 0

Huitzilopochtli wrote: lol no need for a bug bounty program, when you can have your students pentest your work under the guise of learning for free.

Smoothe. Lol jup indeed, that's exactly what's he's doing. and tbh, it's kinda smart :P

I made some attempts and he mailed me that i'm pretty close to the solution… Sadyl enough I have no clue how to fix the job.

Dear student,

I think you're almost there, try to work further with the attempt you did here : <a id="bb" sty&#x6c;e="javaSCRIPT&colon;prompt("Hacked")">clicks</a>

Find a way using the style attribute to get in.

But I thought implementing javascript wasn't posible anymore through the 'style' tag?

Nvm He thought u could still implement javascript inside a 'style' parameter