Amazon x WiCyS CTF 2023

Extra thanks to Mina, Gustavo, and Daniel! ❤

Event announcement: https://www.wicys.org/event/webinar-amazon-amazon-x-wicys-ctf

Below are some challenge write-ups of this CTF. It lasted 24 hours (the first hour was for the webinar), from Sept 28–29th. I ranked 54th of 356 players.

I’ll try to explain my solutions in a way beginners can understand.

Web (category) : Network Analyzer (title): 100 (pts) : “Our internal network engineers got tired of using the terminal. They have created network analyzer. This tools allows them to ping any ip in our network. Some hackers have tried to use our tools for evil purposes. Good thing we have the best security engineers in town. They have secured this service by preventing any ‘;’, ‘python’, ‘wget’, and ‘curl’. That should be enought to stop the hackers right?” (description)

Proof my command works.

Web categories usually want you to break into a site. The first step is to determine what kind of site. This one is Linux cause they’ve prevented certain syntax from getting past their submission box, such as “wget” (a Linux command for downloading files from the web).

You want to give the website what it expects. This one wants any IP address. But you can attach commands after the IP, by using “&&”. It’s not normal for websites to allow this. When they do, it’s called a Local File Inclusion vulnerability.

Submitting “127.0.0.1&&ls” (note: “ls” is a Linux command to list files in a directory) shows that there’s a file named “flag.txt” in the server. I need to read that file, but all the commands I knew (e.g. cat, strings), require a space (i.e. delimiter) between the command and the file, which the site was also blocking.

Luckily, “$IFS” works as a delimiter. Submitting “127.0.0.1&&cat${IFS}flag.txt” makes the site read the flag to you.

Alternatives: Player Bellaria got it by submitting “127.0.0.1 | cat flag.txt” and didn’t encounter the delimiter issue.

Flag: Amazon{4n0th3r_H4ck3r_Succ33d$}

Networking : Simple PCAP : 100 pts : “Can you spot the activity?”

pcap file opened in Wireshark and organized by largest packet.

Network data takes the form of packets. When you run Wireshark on a machine, it records packet traffic in real-time, in a pcap or pcapng format. You’re usually expected to find hidden text or image files in pcaps.

To search for text, go to the Wireshark menu > Edit > Find Packet and a search toolbar will appear. Set this toolbar to “Packet details”, “Narrow & Wide”, and “String”. Start searching for flag-related terms (e.g. flag, secret, Amazon, etc).

To search for image files, I suggest sorting packets by size. Click on “Length” and you’ll see the biggest ones are packets 27 and 31. Right-click one and select Follow > TCP Stream. From there, you’ll see form-data mentioning a “flag.png” and a “secret”.

We discovered the flag is a PNG. But how to read it?

A short explanation of what we’re looking at, is that a web form was used to send a PNG. Packets 35 and 38 are using the HTTP protocol. You can export objects involved in HTTP traffic by File > Export Objects. Sometimes, this is enough to solve the challenge, but here, you just get the web forms (i.e. two separate submit.cgi files). The PNG is under the TCP protocol, not the HTTP one. But there’s no Export Objects option for TCP.

Export Objects for HTTP isn’t helpful in this case.

So let’s return to TCP. In the TCP Stream viewer, change “Show data as” from “ASCII” (which is the human-readable option) to “Raw”. This puts the data in a format that’s easier to parse for machines, and makes it easier for machines to change the data back to a PNG. All files have type headers and enders that tell machines what they’re looking at. For PNG, the file header is always: 89 50 4E 47 and ends in 49 45 4E 44.

I found the PNG in the Raw data.

To export this Raw data of the PNG, choose “Save as…” in the TCP Stream viewer and give it a PNG file extension. Upload this file to CyberChef (a popular web-based analysis tool) and choose the “Extract Files” recipe to extract the PNG. Copying and pasting this Raw data won’t work as well as using an exported file by Wireshark.

Cyberchef couldn’t automatically detect the PNG, but it did extract it.

(I originally tried it and succeeded, by copying and pasting the raw data that only included the PNG file headers, but for some reason, I only got the top half of the PNG. It was enough for me to guess the flag. But the methodology I’ve documented here is more complete.)

Alternatives: Player Harshit Rajpal went into the packet details for packet 35 and used Wireshark’s “Export Packet Bytes…” option.

Flag: Amazon{pc@p_mak3s_th3_m@gic}

Web : Password Locker on the Web : 100 pts : We have created the lastest crypto encryption software and are sharing it with the public!! Use our new tool password locker on the web to see the lastest and greatest in encryption software OR is it……………

Figure out what’s going on behind the website.

The challenge description mentions “OR”, which hints at the XOR cipher. You’ll notice that any input that matches the flag (i.e. “Amazon{“) will result in zeroes. This means when you input the flag, the encryption has nothing to XOR against, cause it’s a perfect match.

This site also encodes all inputs into hex and limits input length to 20 characters. Since I use Kali Linux, I’m often on Firefox. From there, I can change the “max length” value from 20 to 100 in Firefox’s “Web Developer Tools” feature. (I originally didn’t do this, cause I thought I was supposed to stay within the character limit. My bad.)

Proof that anything goes if you have enough length.

Because of the special nature of the XOR cipher, you can submit anything and get the flag, as long as it’s longer than the flag! Take the hex result to decode it in CyberChef, then XOR it with the ‘key’ (which is whatever text you had inputted) and the flag will show. My key was “youCanLiterallyPutAnythingInThisTextBoxSoLongAsItsAtLeastTheLengthOfTheFlag”.

Flag: Amazon{This_Flag_Is_Secret_front_end_validation_is_bullet_proof}

Web : Happy Birthday Card Generator : 100 pts : Imagine this library is so friendly, it’s practically a doorman who invites hackers to tea — in the server room!

Happy Birthday to SSTI?

This resembles the Network Analyzer challenge from earlier, but none of my earlier tricks work here. Cause it’s a different vulnerability called Server-Side Template Injection (SSTI). The quickest way to find out if that’s true is to, as one player (i.e. condor_mug) quipped, “make it do math.” But this math must be in double curly brackets (e.g. “{{4*3}}”). Without the double brackets, it’ll just mirror what you give it.

Underscores are important for the injection command!

Explaining how to create a SSTI injection command is beyond me right now, and would take a whole other post even if I could. I recommend reading up on it elsewhere. One insight I can give, is that while testing others’ write-ups, I discovered underscores must be included for these commands to work. Certain systems (such as Discord) may render underscores as underlines, when you publish them. This is why I’ve included them in this report as a graphic instead.

Alternatives: Harshit Rajpal and Miland Daftari, who both found the injection commands from https://secure-cookie.io/ and cited their sources.

Bonus: Player Adamkadaban wrote a guide on an SSTI lab that he tried.

Flag: WHETSTONE{SsT1_is_v3ry_6Ad}

Postscript:

Challenges missing (or only have partial) write-ups are: 1 — ecommerce (there were 6 solves; Daniel says it’s template injection) 2 — log this shell (there was 1 solve) 3 — mad-lib (2 solves; Mina says it’s SSRF + command line injection or LFI; infosecambika identified the vulns in the code and included a Burpsuite screenshot; XwaSS posted the link to their write-up on 10/3) 4 — dirty params (there was 1 solve) 5 — PSQL (0 solves; Gustavo mentioned enumeration is key; Bellaria and cyberperuvian found the robots.txt and connect.html pages, but got no further) 6 — amazon gpt (0 solves; Daniel and Mina say it’s error-based blind SQL injection) 7 — delivery (4 solves; k0m1 did a write-up in the channel but it’ll be gone once the Discord is shutdown) 8 — hansome (there was 1 solve)

Update:

1 — ecommerce (Daniel explained in channel: “This is meant to be the harder version of birthday card generator. So you see that it’s a python flask server and start trying SSTI. There is a template inject in a post parameter. You try something like {{7*7}} you will notice that you get a prompt that says stop doing that hacker but the {{ and }} have been removed. The prompt is there to give you an hint that you’re on the right track. Also usually if the input is not vulnerable to template injection you would see the response be {{7*7}} isn’t of 7*7 which gives you a tells you that the {{ and }} have been filtered out. From here you can try multiple things but the easies path I think is to try to bypass the filter by putting double the brackets. So it would be something like this {{{{7*7}}}} which would result in 49. From here it’s just a regular temple injection. I usually use this website here. Jinja2 SSTI.

The class 396 is the class <class 'subprocess.Popen'>

{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}

Here is the payload from the site I used.

The value 396 changes so you put it in intruder and enum this value till you find popen.

Adamkadaban — Yesterday at 12:03 PM: ngl, I didn’t even realize you could double up on the brackets. one alternative is using conditional templates, bc that wasn’t being filtered {%%}).

2 — log this shell (Adamkadaban shared a link that had helped them understand the log4j exploit and “believe the challenge was a deployment of this proof of concept”)