Securinets Final 2019 / Woow

Hello guys, This weekend we played Final Securinets and enjoyed almost all categories of challenges, especially web tasks.

So let me explain this task, it was like a real scenario process where we are going to chain bugs to get access to the final server application

First we have a link for the application

http://3.89.110.195.xip.io/

Here we have a simple login with another option Google authentication using email account

Since we have no idea how the login process works, we will try to use Google Email here.

Ok here we can confirm that the process works as expected, we can confirm it by checking the javascript code too.

So I tried to change the name of my profile and email to contain “admin”. The process may be weak and only check if the email or profile contains “admin”.

After a few checks, I have not managed to work around this problem.

We only have one way to do it now, bypassing Google authentication.

If we check again the javascript code used here, we can notice that the application uses two Google APIs to collect information about the user, including “email”.

https://www.googleapis.com/auth/plus.login
https://www.googleapis.com/auth/userinfo.email

What happens if we remove these two scopes from the API call, which can cause the application to get NULL data, with a weak back-end code, it can work: D

After intercepting the Google query in the login process, we can see both scopes already present!

/o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttp%2F3.89.110.195.xip.io%3Fid%3Dauth874762&
response_type=code%20permission%20id_token
&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.login%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email
&openid.realm=&client_id=870207410208-5sga4in88a4ruf0k28ea59k4vhq1dpkq.apps.googleusercontent.com
&ss_domain=http%3A%2F%2F3.89.110.195.xip.io&access_type=offline&include_granted_scopes=true
&prompt=consent&origin=http%3A%2F%2F3.89.110.195.xip.io&gsiwebsdk=2

What if we can simply remove scope parameter. There’s no check in the URL to prevent us from making modifications

But removing the Google authentication scope will give us an error!

Missing required parameter: scope

And what about removing only the email scope as it is probably an email check to give admin access ?!

And yes, we get admin access :), our plan was right and we manage to bypass the Google authentication used in this application.

So here we have access to a private page that already gives us some private data, in this case a link to a private internal tool, in Bug bounty, it will be really useful and it can load to take control of the server APP.

http://3.89.110.195.xip.io/i7MbGnu2fi/?rec=XU6UIbwjqFucPPtnTBrF

So here we have Email sender tool. First, I said that he may be using a public tool and I was trying to check code in github and look for something there, but he just used the same design, but not the same code.

Basically, the tool can be used to send emails after configuring our imap server! but there was a bug on imap_open in PHP ?!

Let’s check php version

by checking page header

X-Powered-By: PHP/5.6.38

We confirm here that this application is vulnerable to the latest bug on imap CVE-2018-19935

By using this bug, we can do code execution on OS. Here is an example from the Github repository.

<?php
# CRLF (c)
# echo '1234567890'>/tmp/test0001
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());

After a few attempts, this did not works on this application , and as iam using php7, I just created a Docker container and set up a simple vulnerable application to debug

And finally, working on my side after fixing my payloads , create file in tmp folder

` “echo ‘1234567890’>/tmp/worked” `

Then we need to create payload to get the flag.php file located in /var/www/html/flag.php probably

And yes , done :D

$flag="securinets{flaaaaaaaaaaaaaaagGg_wooooow}"; // 700 pts

This type of bug can be everywhere if the code application miss some check, in pentest world, hunters can get almost everything

Leakage of files and secret data

Or just running commands !

And finally, let’s analyze the root cause in this case

If we check the source code, we can confirm that there was a bad check !

Thanks dali for such a task :D , well done :)

Thank you for reading this write up!