Web based levels in "CTF BISMARCK" ;)

Developing a capture the flag



In this blog post, I thought to write about the development process of a couple of levels in a capture the flag box AKA CTF box. This CTF is developed to demonstrate vulnerabilities that are beyond from typical vulnerabilities such as XSS (Cross-Site Scripting), SQLi (SQL Injection) and WordPress thus these CTF challenges are contained with stuff like hash cracking, reverse engineering, request manipulation and so on. If you try to play this (web-based) levels, you need to have the previous level’s flag in order to obtain any information about the next level’s credentials such as the password to the next level and sometimes the username.

In this demonstration, there are four levels that use a web platform as the main interface for the player and these levels contain different tasks that the player needs to complete in order to reach the final level and complete the Box. The four main tasks are as follows,
  1. The first challenge is to crack a hash value. – here the player can obtain the hashed password from the source code of the web page and use a hash cracking tool (online or UNIX based) to reverse hash the hashed string and obtain the password for the next level. Username for the next level is also given in the source code. 😀 
  2. The second challenge is to reverse engineer an Android app – checking the source code will give some hints to the player. There is a separate URL/link mentioned in the source code to the apk file (android application file).
  3. The third level is all about request manipulation – here the player needs to manually send a post request to the server as the instruction given on the web page. CSRF (cross-site request forgery) vulnerability is here, so the player can create a separate HTML page or player can use any request manipulation tool. 
  4. The fourth is about scripting – The player needs to get the logic behind this level’s behavior by observing the source code of the web page. After that, the player can see that this page needs to refresh 10000+ times to get the final flag. To do that, the help of a script must be needed.

How these four are done?

Before we move on to the demo, you can get the source code of this application via my GitHub account.

I will write separate blogpost to demonstrate how to complete each level and how to create required exploits that will be needed in some cases. However, in this blog post, I’m going to explain how I developed the web application interfaces to the client-side. So, let's move on to the first level which has the task to crack a hash value to get requires information regard to the next level. Before that, I need to tell you guys that I used technologies like JAVA, HTML and CSS to develop these web applications and I used apache tomcat as the webserver.
Moving on to the demo 😉 the first level as I mentioned earlier is about hash cracking. It’s pretty much easy as in I only had to put the hashed string into the source code in my .jsp file as a comment so that the player or the viewer can simply observe the source code of this web page and get the hashed string.   



In the above image, it shows you that the comment I created for the player as the hint. You can also use this kind of comment according to your development language. This is a pretty straight forward level and there are no complex logics behind the server-side as well, and the bellow image will prove you that. 
As you can see, I commented out the server-side logic on the client-side web page so that the player will get an idea about how it works. So, the logic is, the server gets the POST request from the client and extracts values assigned with the username and password parameters, hash them and matches the hashed values with the validating hashes which are the values that highlighted in the above image.
Above image is my hash function “HashPass😊
In the next challenge, the user needs to reverse engineer an android application. I developed an android application that has the flag information to the next level. However, the username for the next challenge is in the source code of this web page.

In this android application, it has some instructions as below.

 
I put the next hint in the slide bar of the application. The source code is like below.


So, the final android application will look like this,




The player needs to reverse engineer this android application and there is a separate java file called “FLAG.java” which contains the flag information to the next level.



The next challenge is all about request manipulation or we can say cross-site request forgery. Here also developing a vulnerable CSRF website is not that difficult.

The client-side web page source code is shown below.
  
As shown in the highlighted areas, I used images as the text fields so that the player won’t be able to type any strings on the webpage. Let me show you the actual web page 😊



Those text fields are not actual text fields, but they are images. And on the server-side in order to provide the player with the flag, it’s expecting some values to be fulfilled. Also, in the client-side source code, it contains some hints about the required parameters.



On the server-side it's pretty much the usual, you need to validate the request obtain from the client and provide relevant information.



The next challenge is about scripting. Here in order to get the flag, the player must reload the page 10000 times.

Let’s see how the web page looks like.


In the source code on this page, there are some java coding to maintain session counts of a specific user and obviously, these code lines are not visible to users or players 😊 and the below image will show you them.

 
And then the logical segment of the code 😊


So, after the user hits 10000th count, he/she will get the flag which also the root password of the webserver. 😊

As usual, a hint is given in the user-visible source code (as a comment) and this happens to be the main logic behind getting the flag out from the server-side.



 
That’s all for this post, hope you guys get some ideas about developing a CTF box. If you want to get all my source code regarding these challenges, visit my GitHub account 😊







Comments

  1. BuddithaJanuary 2, 2020 at 12:12 PM

    You made it look very simple. Thanks a lot.

    ReplyDelete
  2. Cyber techJanuary 8, 2020 at 1:05 PM

    Great work buddy...

    ReplyDelete
  3. AnonymousNovember 3, 2020 at 9:12 PM

    "When I was applying for a loan to purchase my building as a small business owner in a tough situation, conventional banks said they could not help me. The loan firm from Mr Lee sat down with me, heard my situation and decided that I was worth taking a chance on. Here we are 5 years later and I have just renewed my loan for another 7 years. I couldn’t have purchased my building without the help of the loan from mr lee and will be forever indebted to them for giving me a chance when no one else would."Here is mr lee contact Email: 247officedept@gmail.com Also on whatsApp: +1-989-394-3740So I will advise anyone here looking for a loan to contact Mr Lee for assistance with loan fundings.

    ReplyDelete

Post a Comment

Popular posts from this blog

RMI (intro)

Image
What is RMI?  RMI stands for Remote Method Invocation. It is an application programming interface (API) that allows an object running on one Java Virtual  Machine (JVM) to invoke methods on an object running on another Java Virtual Machine (JVM), client server architecture is a good example where RMI is used. Basically, RMI provides for communication between programs written in the Java programming language. Architecture  In an RMI application there are two programs, a server side program and a client side program. Inside the server side program, a remote object is created and reference of that object is made available for clients. The client side program requests the remote object from the server to invoke its methods.  (A diagram to represent RMI architecture) Stub & Skeleton? Stub is a representation the remote object in the client and its acts as a gateway for the client program. Skeleton is the object that in the server-side. stub communicates with
Read more

Let's Configure HTTP'Secure' in Apache-Tomcat

Image
What is HTTPS?.. if you don't have any idea about what is HTTPS, refer my previous blog post about HTTPS . If you have an idea about HTTPS and SSL/TLS handshake, you are good to go 😊  Creating a digital  certificate We can create a digital certificate using "Java KeyStore (JKS)". This is a repository of security certificates. We can generate a keystore file using keytool command. in order to work with keytool, you must have "JAVA" installed in your computer.  keytool is a key and certificate management utility that allows users to administrate their own public/private key pairs, and the keystore file we are going to generate bellow will also be our local tomcat server's server certificate.   Options  When creating a "keystore", we need to provide some options and values to it. -genkey/-genkeypair -alias  -keyalg  -keystore  -keysize -validity -sigalg -storepass -keypass -dname  -genkey/-genkeypair -genkey
Read more

Mitigate CSRF with Double Submit Cookies

Image
I previously explained what is CSRF  and how we can mitigate a CSRF attack using Synchronizer token pattern technique. In this blog post I'm going to talk about another CSRF mitigation technique called "Double Submit Cookies Pattern"  😉 What is Double Submit Cookies Pattern? This is a technique, that sends a random seed or a "token" as we call it, in both a cookie and as a request parameter, with the server verifying if the cookie value and the request value match. Why DSCP? Now its obvious that a third party entity cannot perform a CSRF attack without the CSRF token, and in here attacker or the third party entity cannot get the token because its in a cookie, and third party web pages cannot retrieve cookies from another web page that has a different domain. For example, assume that the genuine web page is banker.com, and the attacker's web page is attacker.com, when a user logged in to the banker.com, and accidentally redirect to attacker
Read more