Please note that successful exploitation heavily depends on how well one understands the exact nature and location of the vulnerability. Many commonly known vulnerabilities have publicly available exploits – such as those on exploit-db – but while solving CTF challenges, you will need to take the time to understand the weakness rather than seek a plug-and-play exploit. About Net-Force Exploits Challenges These challenges require that you provide the correct passwords that are revealed to you after solving them. You can attempt them in any order but you must be logged in to try potential passwords. ‘Exploits’ CTF challenges range from web-based exploitations to backend SQL injections. However, in some cases these are just ‘simulated challenges’. For instance, the challenge ‘UNION makes FORCE’ does not actually involve a backend database server. Hence, you need to send the exact SQL injection query that the designer is looking for, rather than any other (correct) alternatives. Spoiler Alert!! Please be advised that the following content provides solutions to the intriguing Exploits challenges on Net-Force. I recommend against read further without having tried your absolute best at the challenges first. Solutions to Exploits Challenges 1 to 5 Exploit Challenge 1, Level 401: “Nice include system ;)” Since this is the first challenge in this category, it is not as convoluted. In fact, the title of the challenge contains a big hint – ‘include system’. The PHP local file inclusion vulnerability is a very popular weakness that allows us to access important system files on the server via the web interface. In all probability, the hint in the title is pointing to local file inclusion.
Figure 1 By observing the HTTP link of the challenge page, we know that the ‘index.php’ script contains a parameter ‘page’ that can be used to invoke locally stored files on the server. First, we checked to see what other files are stored in this folder by accessing the following URL: https://www.net-force.nl/challenge/level401/ This proved futile since the server does not suffer from ‘directory listing’ vulnerability and redirected us back to the ‘index.php’ page. Next, since the challenge is asking us to “obtain the password file of the system” we focused our attention on this password file. On a Unix-based system, the file containing user login names and passwords is named ‘passwd’ and stored in ‘/etc’ along with other configuration files [Figure 2].
Figure 2 A server suffering from local file inclusion would allow us to access this ‘passwd’ file via the web interface. Hence, we access the following location: https://www.net-force.nl/challenge/level401/index.php?page=/etc/passwd Sure enough, text containing logins and password hashes from the file ‘passwd’ was displayed on the screen [Figure 3].
Figure 3 In order to recover the plaintext password from this hash, we need ‘john the ripper’ [Figure 4]. After cracking a password, ‘john’ stores the resulting plaintext password along with the username in the ‘john.pot’ file for later access.
Figure 4 Note: Only the earlier versions of UNIX contained the password hashes and the salt in the ‘passwd’ file. In a real-life situation today, the file ‘passwd’ would not contain the password salt [Figure 5].
Figure 5 Password: koe Exploit Challenge 2, Level 402: “Oops, a typo…” This challenge tells us that it is comprised of 2 parts. We follow the link to access the first part [Figure 6]. We notice the error message displayed to us that suggests that the PHP script ‘protected.php’ contains a variable ‘ip’ that is currently undefined. Also, the page tells us that protected.php can only be accessed using the IP address “213.75.238.147”. So, we need to input the value ‘213.75.238.147’ for the variable ‘ip’ in order to access protected.php.
Figure 6 Since we are familiar with how a user could pass values of variables using the browser URL to a PHP script, we access the following link: https://www.net-force.nl/challenge/level402/protected.php?ip=213.75.238.147 We have solved the first part of the challenge [Figure 7] and proceed to the next. We are redirected to the following link: https://www.net-force.nl/challenge/level402/auth.php?denied
Figure 7 We attempt to change this ‘denied’ to ‘granted’ with no success; we are redirected to ‘denied.’ We need to study what kind of request is being sent to the server and see if we can manipulate it to our advantage. To do this, we use Burp Suite Proxy to intercept the request. We notice that the browser is accessing the following URL [Figure 8]: https://www.net-force.nl/challenge/level402/auth.php?show=no
Figure 8 Naturally, we change this ‘no’ to ‘yes and obtain the password [Figure 9]: https://www.net-force.nl/challenge/level402/auth.php?show=yes
Figure 9 Password: expl017 Exploit Challenge 3, Level 403: “Source Cooking!” The very name of this challenge suggests that we need to dig into relevant source code to solve it. We are given a link below that allows us to view the source code of the file ‘index.html’: https://www.net-force.nl/challenge/level403/source.php?url=index.html Since there is nothing interesting there, we move on and manipulate the parameter ‘url’ to access ‘challenge.php’. However, we are told that only HTML files are allowed (no PHP) [Figure 10].
Figure 10 This calls for a null-byte injection. The null byte we will use is ‘%00’ and obtain the source code [Figure 11]: https://www.net-force.nl/challenge/level403/source.php?url=challenge.php%00.html
Figure 11 Notice the ‘if’ condition in this code that calculates the md5 of ‘NetForce’ and matches it with the cookie received from the user’s browser. If it’s a match, then it goes to ‘solution.php’ – which is what we want. Hence, we calculate the MD5 hash of the word ‘NetForce’ [Figure 12].
Figure 12 Next, we use the Chrome extension ‘EditThisCookie‘ to edit the cookie being sent to the Net-Force page by our browser. We input the calculated MD5 sum as the cookie’s value [Figure 13] and access the page again.
Figure 13 Since we have sent the expected value of the cookie, we are given access to the password [Figure 14].
Figure 14 Note: From security perspective, what should have happened was that the web application should have detected and rejected the null byte characters in user input. Password: CookieMonster Exploit Challenge 4, Level 404: “Hiding in a pipe…” This challenge provides a link to a portal and asks us to ‘hack’ the portal to obtain the password. The portal seems to take input from the user and execute some commands in the background according to the supplied input [Figure 15].
Figure 15 The result of command execution is given back to the user via the web interface [Figure 16].
Figure 16 It becomes clear that to solve this challenge we need to execute arbitrary commands on the server by performing a command injection attack. Ideally, a user would execute only allowed commands such as ‘ping’. However, we will attempt to execute the expected command and another random command that might help us access the password to this challenge. The title of this challenge mentions ‘pipeline’. Pipelining is when we execute multiple commands one after the other on a UNIX box by using ‘|’. We pipeline another command ‘ls’ to see the files and folders in this directory [Figure 17]. We notice an interesting folder ‘protected’ and 2 other files.
Figure 17 The file ‘info.txt’ might provide us some information so let us display its contents. Apparently, we have solved the first part which was to locate the folder ‘protected’ [Figure 18].
Figure 18 Access to the protected folder requires a username and password [Figure 19]. Our next goal is to locate these credentials and access this folder.
Figure 19 This took a while but ultimately we noticed this in the ‘finger’ command text box: finger BasTijs@net-force.nl. There is a user ‘BasTijs’ on this server but we do not have his password. We try the username ‘BajTijs’, leave the password blank, and are given access to the folder where we see ‘solution.php’ [Figure 20].
Figure 20 Note: There seems to be a bug in the challenge that will require you to enter these credentials multiple times before it allows access to the folder. The file ‘solution.php’ contains the password [Figure 21].
Figure 21 Password: pijpme! Exploit Challenge 5, Level 405: “UNION makes FORCE” This is clearly an SQL injection challenge as suggested by the title. For instance, we are all familiar with the simplest and most popular SQL injection query that allows us to bypass authentication on vulnerable systems: SELECT * FROM users WHERE name = ” OR ‘1’=’1 During this challenge, we are required to log in using a specially crafted SQL injection query that is created after carefully reading the source code provided in a text file. Let us focus on this code. The first few lines are used to connect to the database server using ‘dbuser’ and ‘dbpass’, and selecting a particular database [Figure 22].
Figure 22 Next, we have the interesting authentication part of the code. We see the following query being executed in the first line [Figure 23]: SELECT pass from users WHERE user=’$login’
Figure 23 This means that the password is selected corresponding to the value of the variable ‘login’ in the PHP script. After several guesses, we were able to determine ‘admin’ is a valid user in database. Also, the script is comparing the MD5 of the password provided for the user ‘admin’ with value stored at row[0]. If there’s a match, the authentication is successful, otherwise not. We need to supply ‘admin’ as the value of ‘login’ and then end the query there using a ‘ –(apostrophe) . From here, we can use the UNION operator that contains the result of both of the SELECT statements. So our username becomes: admin’ UNION SELECT ‘a6d420cb77a4b29af1c5f58dd6877401 Here, the MD5 hash corresponds to the password that we are going to provide, that is, ‘pranshu’ [Figure 24].
Figure 24 Hence, the credentials become: Username: admin’ UNION SELECT ‘a6d420cb77a4b29af1c5f58dd6877401 Password: pranshu Using these credentials – laden with SQL injection – we are able to successfully login and acquire the password [Figure 25].
Figure 25 Note: We tried several SQL injection queries that we were absolutely sure, beyond a doubt, would work. However, they did not. If you are facing similar problems, then you must know that there is no actual backend database server for this Net-Force challenge where these queries could be executed. Instead, the challenge is simulated and the creator wants you to provide the shortest query that would work. If this SQL query matches with what they had in mind, the challenge is solved. Password: NetForceUnited End Remarks Net-Force community has a good collection of security challenges that will facilitate comprehension and learning for enthusiasts and students of information security. These challenges are progressive in nature which means usually a challenge would consume more time than the previous challenge in the same category. Feel free to sign up at Net-Force and attempt to solve some challenges. If you have spent a substantial amount of time on a specific challenge – and the solution has evaded you for long – then you can always come here to seek solutions. These Exploits challenges at Net-Force were well-designed in that they push you to learn new concepts but are not so convoluted as to cause frustration. The solutions above discuss only successful attempts for the sake of brevity. If you enjoyed these, consider attempting more captivating challenges at Net-Force to test or build your skills in security.