{"id":666,"date":"2017-10-30T17:08:13","date_gmt":"2017-10-30T22:08:13","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=666"},"modified":"2017-10-30T20:13:11","modified_gmt":"2017-10-31T01:13:11","slug":"completing-the-lascon-2017-badge-game","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2017\/10\/30\/completing-the-lascon-2017-badge-game\/","title":{"rendered":"Completing the LASCON 2017 Badge Game"},"content":{"rendered":"

For those who don’t know, every year I put together a game that starts on the back of the LASCON badge. \u00a0It’s typically some combination of crypto challenges alongside application security vulnerabilities with the goal of having it take somewhere around 1-3 hours, depending on experience, to complete. \u00a0Those who complete the game are rewarded with one of these awesome challenge coins:<\/p>\n

\"LASCON<\/a><\/p>\n

Now, I know that there are people out there who look at one of these things and don’t even know where to start so, it is in the spirit of education and learning that I share with you my notes on how to complete the LASCON 2017 Badge Game.<\/p>\n

Stage 1<\/strong><\/span><\/p>\n

On the back of the LASCON badge it reads as follows:<\/p>\n

\n
Another year, another game<\/div>\n
Solve the puzzles, write your name<\/div>\n
These characters aren\u2019t a work of art<\/div>\n
Ask a mason how to start<\/div>\n
<\/div>\n
\"ciphertext\"<\/div>\n<\/blockquote>\n
<\/div>\n
The key word in the text above is “mason”. \u00a0If you were to Google the term “mason cipher”, you would come across an interesting kind of cipher called a Pigpen\/Masonic\/Freemason Cipher. \u00a0The idea being that they take a geometric pattern and map the letters of the alphabet to the locations on the pattern. \u00a0Here’s an example that you could use to translate this text:<\/div>\n
<\/div>\n
\"Freemason<\/a><\/div>\n
<\/div>\n
Once translated, you get the following message:<\/div>\n
\n
To start the badge game go to nocsal dot lascon dot org<\/div>\n<\/blockquote>\n
Stage 2<\/strong><\/span><\/div>\n
When you go to nocsal.lascon.org<\/a>\u00a0it defaults to having a GET parameter of page=winners.php. \u00a0This is a sign that it is vulnerable to directory traversal. \u00a0There is also a comment in the page source that says \u201cGet badge game winners from \/files\/winners.php\u201d. \u00a0If you navigate to\u00a0http:\/\/nocsal.lascon.org\/files\/<\/a>, it has directory browsing enabled and you can see a test.php page there, in addition to winners.php. \u00a0If you go to\u00a0http:\/\/nocsal.lascon.org\/?page=test.php<\/a>, you will see it grabs the test.php code and pulls it into the page source. \u00a0If you view source, you can see the text is as follows:<\/div>\n
<\/div>\n
\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n
<?php<\/div>\n<\/td>\n
<\/td>\n<\/tr>\n
<\/td>\n\n
\/\/ Test ability to grab winners table from the database<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$servername = “localhost”;<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$username = “lascon”;<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$password = “e3fmGYHDrc6MNCEMmLWj”;<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$dbname = “lascon”;<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$conn = new mysqli($servername, $username, $password, $dbname);<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$sql = “SELECT * FROM lascon_winners”;<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$result = $conn->query($sql);<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$array = $result->fetch_array();<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
print_r($array);<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
$conn->close();<\/div>\n<\/td>\n<\/tr>\n
<\/td>\n\n
?><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
<\/div>\n
We now have a database username and password.<\/div>\n
<\/div>\n

Stage 3<\/strong><\/span><\/p>\n

Even though the database connection that we found uses a servername of “localhost”, it turns out that mysql is open on the public IP interface of the server as well. \u00a0We can use a mysql client to connect to nocsal.lascon.org<\/a>\u00a0with username \u201clascon\u201d and password \u201ce3fmGYHDrc6MNCEMmLWj\u201d (mysql -h nocsal.lascon.org -u lascon -p<\/em>). \u00a0Once in the database, the user has access to read the lascon database and will see a \u201clascon_winners\u201d, \u201cusers\u201d, and \u201cwebsites” table. \u00a0When you try to insert into the lascon_winners table, you quickly realize that you do not have insert permissions, so you cannot insert into the lascon_winners table. \u00a0In the users table, you see an entry with username \u201cadmin\u201d and password \u201cNFJXaTNuc0pyR2Y2c25iNG9Va1c=\u201c. \u00a0In the websites table, you see a bunch of sites and one hiding amongst the others is ttpcteebhz.lascon.org.<\/p>\n

<\/div>\n
<\/div>\n

Stage 4<\/strong><\/span><\/p>\n

When you go to\u00a0http:\/\/ttpcteebhz.lascon.org<\/a>\u00a0in your browser, you see a form with a spot for a username and password. \u00a0You can base64 decode the string you found int he database (NFJXaTNuc0pyR2Y2c25iNG9Va1c=) to get the value \u201c4RWi3nsJrGf6snb4oUkW\u201d. \u00a0Once you have that, you can log in with username \u201cadmin\u201d and password \u201c4RWi3nsJrGf6snb4oUkW\u201d.<\/p>\n

<\/div>\n
<\/div>\n

Stage 5<\/strong><\/span><\/p>\n

Once logged in with the username and password, you see a blank page. \u00a0Once you view the page source, however, you see that it contains a hidden form and fields:<\/p>\n

<form name=”submission” method=”post” action=””><\/div>\n
<input type=”hidden” name=”first_name” value=”” readonly \/><\/div>\n
<input type=”hidden” name=”last_name” value=”” readonly \/><\/div>\n
<input type=”hidden” name=”phone” value=”” readonly \/><\/div>\n
<input type=”hidden” name=”email” value=”” readonly \/><\/div>\n
<\/form><\/div>\n

The last part of the challenge you could accomplish with a proxy tool, but I just used the Developer Tools in Chrome. \u00a0I changed the hidden fields to text fields, removed the readonly values, and then added a form submit button. Once submitted, the game is over and you win!<\/p>\n

<\/div>\n
<\/div>\n

A Quick Summary of Puzzles Solved \/ Vulnerabilities in the Badge Game<\/strong><\/span><\/p>\n

    \n
  • Freemason Cipher<\/li>\n
  • Directory Traversal<\/li>\n
  • Information Disclosure in Comments<\/li>\n
  • Directory Browsing Enabled<\/li>\n
  • Hard-Coded Database Credentials<\/li>\n
  • MySQL Service Publicly Accessible<\/li>\n
  • BASE64 Encoded Passwords<\/li>\n
  • Hidden and Read-Only Form Fields<\/li>\n
  • Missing Form Submit Button<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

    For those who don’t know, every year I put together a game that starts on the back of the LASCON badge. \u00a0It’s typically some combination of crypto challenges alongside application security vulnerabilities with the goal of having it take somewhere around 1-3 hours, depending on experience, to complete. \u00a0Those who complete the game are rewarded […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[517,649,4],"tags":[76,651,654,652,650,653,12,622],"class_list":["post-666","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","category-owasp-lascon-2017","category-web-app-sec","tag-application","tag-badge","tag-conference","tag-game","tag-lascon","tag-lonestar","tag-owasp","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-aK","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/666","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=666"}],"version-history":[{"count":5,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/666\/revisions"}],"predecessor-version":[{"id":674,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/666\/revisions\/674"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=666"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=666"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=666"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}