Join us on Slack!
Understanding is the answer, hatred is the problem, and hackers are the slaves abused and destroyed in the process of peace online - Deshouleres
Sunday, August 25, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 59
Guests Online: 57
Members Online: 2

Registered Members: 117975
Newest Member: Depamimephomy
Latest Articles
View Thread

HellBound Hackers | HellBound Hackers | Questions

Author

Schoolproject Hacking Challenge

Awaces
Member

Your avatar

Posts: 4
Location:
Joined: 22.11.15
Rank:
Newbie
Posted on 22-11-15 16:21
I'm a 22 year old student who lives in belgium and i'm educating cybercrime.

For a schoolproject we are divided in groups of 3-4 persons.
We all got a small space on a server where we can set up a platform.

The goal is to secure your platform and hack the other groups.

So far so good i've got 1 group in my scope where I might be able to get through.

It's a guestbook with a firewall behind it.

Here is a small list of what's blocked by the firewall :
- onerror, onload, onunload, onabort, onclick, onmousover, onmouseout, onkeydown, onchange, ...
- < script>
- on' & 'load
- on' ++ 'error
- data:text/html
- ....

There are some possible leaks i've found to get through :

- I'm unable to use the `<img src="">` but `<img id = "x" src="">` works and bypasses the firewall here.

- I'm also able to post a simple video that runs from the moment I open the page, maybe this will be the thing i'll have to focus on.
* i'm able to use tis : <video autoplay><source id="x" src="myvideo.vid"></video>
- I'm able to use the <a href ... > tag and let it execute javascript but it needs an action to be executed.
* <a id="bb" href="javaSCRIPT&colon;alert(1)">clicks</a> This works, but I have to click on the button before it executes.

It would be nice if I could implement my <a ... > code into the <video> or <img> tag.

Anyone has an idea ?

Thx in advance

Edited by Awaces on 22-11-15 16:23
Author

RE: Schoolproject Hacking Challenge

Huitzilopochtli
Member



Posts: 1621
Location:
Joined: 19.02.13
Rank:
God
Posted on 23-11-15 05:09
A guestbook is a pretty limited attack vector man, unless you find an RFI or LFI, you're probably only gonna be able to steal cookies at best.

Best find out what else they are running on their 'space', port scan them and look at what services they have running, find out if they have WordPress or Joomla etc installed and check for known published vulnerabilities for that version.

Xss is pretty limited to defacement, unless you can chain it with other things like csrf's and the like, but maybe an xss is enough to satisfy the conditions of whatever it is you're supposed to be doing.

Give us more details.
Author

RE: Schoolproject Hacking Challenge

rex_mundi
☆ Lucifer ☆



Posts: 2017
Location: Scotland
Joined: 20.02.08
Rank:
God
Posted on 23-11-15 07:29
It's more likely a filter than a firewall, try encoding the things that are black listed, and see if any make it through.
U N ⓡⓔⓧ_ⓜⓤⓝⓓⓘ
Author

RE: Schoolproject Hacking Challenge

Awaces
Member

Your avatar

Posts: 4
Location:
Joined: 22.11.15
Rank:
Newbie
Posted on 23-11-15 18:48
rex_mundi wrote:
It's more likely a filter than a firewall, try encoding the things that are black listed, and see if any make it through.

Huitzilopochtli wrote:
A guestbook is a pretty limited attack vector man, unless you find an RFI or LFI, you're probably only gonna be able to steal cookies at best.

Best find out what else they are running on their 'space', port scan them and look at what services they have running, find out if they have WordPress or Joomla etc installed and check for known published vulnerabilities for that version.

Xss is pretty limited to defacement, unless you can chain it with other things like csrf's and the like, but maybe an xss is enough to satisfy the conditions of whatever it is you're supposed to be doing.

Give us more details.


The only thing he's running is he's firewall.. Just because he wants to find all vulnerabilities in hes program and fix it through this way.

This is the firewall we're talking about : https://www.aqtronix.com/?PageID=99

and these are 2 posibilities how people went in before :
<video controls>
<source on' ++ 'error="window.location.href=''dat' ++ 'a:text' ++ '/html, <htm' ++ 'l><h2>Bypassed by Dieter AGAIN?!</h2></ht' ++ 'ml></htm' ++ 'l>''">
</video>

<body on' & 'load="window.location.href=''data:text/html, <html><h2>Bypassed by Dieter</h2></html></html>''" />' & '



I thought using on &apostrof; &plus; &apostrof; error could work but it seems like it doesn't do the same like on' + 'error
Author

RE: Schoolproject Hacking Challenge

rex_mundi
☆ Lucifer ☆



Posts: 2017
Location: Scotland
Joined: 20.02.08
Rank:
God
Posted on 24-11-15 04:10
Looks like you need to break up the filtered words with '++', in order to bypass the blacklists rules, and chain the resulting filtered injection back together at the end, and it'll run.

And he can't ONLY be running a firewall and guestbook, there's obviously a web server and an operating system you can attack.

http://www.securityweek.com/web-application-firewalls-tested-against-xss-attacks

You seem to be concentrating on trying to exploit a downloadable firewall, and I don't really get how that fits into an attack/defence of a 'space' scenario, as really the only lesson to be learned there, is that someone on the other team made a bad choice of picking a free firewall.

Edited by rex_mundi on 24-11-15 04:41
U N ⓡⓔⓧ_ⓜⓤⓝⓓⓘ
Author

RE: Schoolproject Hacking Challenge

Awaces
Member

Your avatar

Posts: 4
Location:
Joined: 22.11.15
Rank:
Newbie
Posted on 24-11-15 11:16
Since somebody already got in through concatting with ++ thats also disabled for use.
The owner of the group is my lector and the maker of the firewall.
By this way he wants to make hes firewall more secure.
Author

RE: Schoolproject Hacking Challenge

Huitzilopochtli
Member



Posts: 1621
Location:
Joined: 19.02.13
Rank:
God
Posted on 24-11-15 13:09
lol no need for a bug bounty program, when you can have your students pentest your work under the guise of learning for free.

Smoothe.
Author

RE: Schoolproject Hacking Challenge

Awaces
Member

Your avatar

Posts: 4
Location:
Joined: 22.11.15
Rank:
Newbie
Posted on 24-11-15 13:46
Huitzilopochtli wrote:
lol no need for a bug bounty program, when you can have your students pentest your work under the guise of learning for free.

Smoothe.

Lol jup indeed, that's exactly what's he's doing. and tbh, it's kinda smart Pfft

I made some attempts and he mailed me that i'm pretty close to the solution...
Sadyl enough I have no clue how to fix the job.

Dear student,

I think you're almost there, try to work further with the attempt you did here :
<a id="bb" sty&#x6c;e="javaSCRIPT&colon;prompt("Hacked"Wink">clicks</a>

Find a way using the style attribute to get in.



But I thought implementing javascript wasn't posible anymore through the 'style' tag?


*Nvm* He thought u could still implement javascript inside a 'style' parameter

Edited by Awaces on 24-11-15 14:43