Post

CyberTalents | Hashable

Writeup of an medium-rated Web Exploitation Challenge from CyberTalents


Hashable is a Web Exploitation challenge from CyberTalents that revolves around exploiting a code injection vulnerability in order to achieve remote code execution on the server and eventually get the flag

Challenge Name

Hashable Challenge


Challenge Description


  • A famous enterprise blog was hacked, can you figure out how it was hacked?

Write-Up


Navigating to the provided URL, you will be presented with the following web page:

Main page /


  • There is a contact page, where a user can input his Name, email address and the Message he wants to send.

/contact.php


  • There are some posts in /post.php. Each post is referred to with an ID:

/post.php


SQL Injection - Failed:

At first, I injected the classic ' to the id parameter (http://cybertalentslabs.com/post.php?id=1') to see if I can trigger an error and it was the case:

Testing SQL Injection


I tried to manually exploit this SQL Injection vulnerability but I failed. I then decided to test it with SQLmap, but unfortunately I got nothing. It’s most likely a rabbit hole or something like this.

Code Injection in /contact.php:

In /contact.php, you can enter a Name, email address and a Message you want to send to the administrators.
The first thing I tried is injecting the classic XSS payload <script>alert('XSS')</script> in Name and Message field, but nothing popped up. After that, I injected the same payload but prepended with " to escape a double quote symbol if there is any, and I got an interesting error message from the server:

Testing XSS
  • The error message indicates that there is a Syntax Error in the eval() function.
eval() - Security Risk

The eval() function is used to dynamically evaluate and execute a string as PHP code at runtime.
For example:

1
2
$info = 'phpinfo();'
eval($info)
  • Running this code, will result to the execution of phpinfo()

Since the eval() function allows the execution of arbitrary code, it can be a security risk if the input is not properly validated.
If user-input is directly passed to eval(), it can lead to Code Injection vulnerability.

phpinfo():

First of all, I injected the payload "phpinfo(); into the Message field, and I got the following error message:

Injecting "phpinfo();
  • This Syntax Error indicates that a closing parenthesis ) is expected and not phpinfo().

To get around this error message, I injected the payload ")phpinfo();, in which I placed the closing parenthesis ) before phpinfo();

Injecting ")phpinfo();
  • As you can see, we managed to get around the error, but we got another one to deal with.

At this point, I’m assuming that, in the backend, there is a function inside eval() that handles user input. In other words, in order to inject phpinfo() and be executed by eval(), we need to escape the function and then place our injected PHP code (which is phpinfo();) separated with a semi-colon ; in order to get something like this:

1
eval('randomfunction(); phpinfo();')
  • Here, eval() will execute the function as well as phpinfo()

For example, if the eval() function is as follows:

1
eval('randomfunction("$_POST['name']", "$_POST['email']", "$_POST['message']")')

Then, we need to inject something like this:

1
"); phpinfo(); //

so that eval() becomes like this:

1
eval('randomfunction("$_POST['name']", "$_POST['email']", ""); phpinfo(); //")')
  • In this case, eval() will execute the randomfunction() with the first two parameters $_POST['name'] and $_POST['email']. However since the third parameter $_POST['message'] will be empty. After that eval() will execute phpinfo(); while commenting the rest of the function randomfunction()

phpinfo()


Flag:

After confirming the existence of code injection vulnerability, we can execute OS commands on the server via eval() using the system() function:

  • Executing id via the PAYLOAD: "); system('id'); //

Executing 'id'


  • Executing ls via the PAYLOAD: "); system('ls'); //

Executing 'ls'


  • Reading the content of flag_23894ABCX1.txt via the PAYLOAD: "); system('cat flag_23894ABCX1.txt'); //

Flag
This post is licensed under CC BY 4.0 by the author.