The Hackathon: Capture The Flag

Written by Chris Feasey | Jul 22, 2021 2:48:00 PM

At Eagle Eye we take Web Application Security seriously.

We try to embed an awareness of security into our day-to-day activities. Every application online is vulnerable to a myriad of violations, from automated bots to malicious actors aiming to exploit any weakness for financial benefit or to cause reputational damage.

Security is a critical part of our SDLC (Software Development Lifecycle), and through requirements assessment, implementation of code, peer review and QA we have several quality gates to ensure that changes made to our applications do not introduce any new vulnerabilities. Our applications are also made subject to regular penetration tests to assure our auditors that we are fully compliant in meeting the highest levels of Web Application Security.

In addition to our formal processes, however, we wanted to reinforce a security mindset in our technical departments as well as our wider business. Presentations and courses can be a little dry after a while, so we decided to run a hackathon competition with prizes for the best performers. Many of our Software Engineers have been through formal OWASP training. OWASP stands for the Open Web Application Security Project and every year this organisation publishes its Top 10 Web Application Security vulnerabilities list – each item on the list is a different attack vector used by malicious actors and items which every Software Engineer at Eagle Eye needs to be aware of as well as knowing how to mitigate its risk.

SECURITY GAMIFICATION: Capture the Flag

We found an interesting project promoted by the OWASP team called ‘The Juice Shop’, an e-commerce application that is deliberately riddled with security vulnerabilities. This application can be installed locally on your computer, and you are challenged to find these vulnerabilities. Each challenge has a different score according to the difficulty of the hack. When you have successfully exploited a vulnerability, you are rewarded with a ‘Flag’ which is a string of letters and numbers (a hash) that needs to be pasted into a dashboard to record your success or failure activity is therefore known as Capture the Flag.

We ran this over a financial quarter with various prizes being offered for the best or most notable performers. We were not sure if it would catch on, but we soon found that people became really engaged in the competition. The best part was that several non-technical employees also got involved with the fun. There are a variety of ways to tackle the problems, and some of our learnings and experiences are described below.

CHALLENGE SOLUTIONS

Sathya Senthilnathan

Challenge: Christmas Special - Order the Christmas special offer of 2014

To order this product, first, you have to find this product and add it to the basket. In the front end, searching for this product doesn’t show any results, so it’s not available for purchase. You have to find all the deleted/unavailable products and add them to the basket. When you try to add existing available products into the basket, you will notice in the network tab, that http://localhost:3000/api/products/30 is the endpoint that retrieves the product details.

Go to Postman and retrieve all the products by doing a get on http://localhost:3000/api/products. In the response, you might notice id 10, 11, and 12 are missing so that should be the deleted products.

Add the missing products into the basket by doing a POST request to http://localhost:3000/api/BasketItems with the below payload

{"ProductId":10,"BasketId":"2","quantity":1}. You can get all these details from the network tab when you add an available product into the basket.

Now go to the application’s shopping basket and to your surprise, you will see the Christmas Super surprise Box 2014 Edition in the basket.

Checkout all the products in the basket to complete the challenge!

Tim Gill

Challenge: 2FA

One of the challenges I am most proud of solving is the 2FA challenge.

Firstly I set up an account, then set up 2FA on my LastPass authenticator. I then did some quick research on how it works. You get a secret token call a "Time-based One-time Password" (TOTP) which gets fed into an algorithm, this algorithm factors in the current time and gives a different number 6 digit number every 30 seconds. I then figured out that there is a user field called "totpSecret" which gets listed on the GET /rest/memories/ endpoint.

I was then able to get my token and put this into a 2FA code generator website and it gave me the same numbers as my LastPass Authenticator. All I had to do now was figure out how to get the totpSecret for wurstbrot. This was easier said than done because I hadn’t figured out how to get all the data via injection, wurstbrot has no data on the GET /rest/memories/ endpoint and of course, I can’t do my injection login technique because the 2FA stops me.

What I could do though was add extra conditions to the login injection, so rather than just setting the username to wurstbrot@juice-sh.op'-- I added an extra part to get the first letter of the secret wurstbrot@juice-sh.op' AND totpSecret like 'a%'--. It wasn’t “a” so I needed to try all the other characters. This would be hard work manually, so I put it into the Intruder in Burp Suite which is its brute-forcing tool.

Intruder returned all statuses of 401, but one of them had a different response length to the others because it wanted a 2FA code rather than being an incorrect username / password, so I knew this was the first character. I then put this character in the request just in front of the part where the intruder tool loops through, then kept repeating this process. Eventually, I got no result with a different length so I know I had all the characters of the totpSecret. All that was left to do was feed this code into the 2FA generator website to get the code, and put the code into Juice Shop!

Craig Sefton

Challenge: Logging in as the Support Team

The challenge that really taught me a lot was logging in as the support team. It took a lot of time and failed attempts to achieve.

The first step required knowledge of the website and knowing that there is a section of the site that allows you to download files.

Once discovered, you would then need to learn that a specific file, incident-support.kdbx, did not have its file extension blocked by the server for download. If you didn't know what a .kdbx file was (fortunately, I did), a quick Google would have revealed that it belongs to KeePass, which is a password manager.

Installing KeyPass and attempting to open the file brings up a prompt to enter a password or a key file, or both.

The easiest thing to do at this point would be to try a password cracker with a dictionary. For example, you can use keepass2john, which is a utility to extract password hashes from .kdbx files, which in turn allows you to take that hash and attempt to crack it. There are many tools out there that allow this, one of the best being hashcat.

Now, I did do this, but I did it later in desperation, which I'll get to. What I suspected, however, was that the .kdbx file was encrypted using a key file. The reason for this is because I'd downloaded the individual Javascript files from the website (from the HTML source code), and discovered something very interesting. Embedded in the code was this snippet:

this.error && this.user.email && this.user.email.match(/support@.*/) && console.log("@echipa de suport: Secretul nostru comun este \xeenc\u0103 Caoimhe cu parola de master gol!")

Sure enough, if you turn on logging for the website using your browser's developer tools and attempt to login using the support@juice-sh.op email, a console log appears with the above message.

A few seconds of Googling was enough to discover that the message was written in Romanian, and it translated as:

@support team: Our common secret is still Caoimhe with the empty master password!

I kinda guessed, then, that the .kdbx file didn't have a master password, and rather used a key file. At first, I thought maybe the key file was a simple text file with Caoimhe as the contents. This didn't work. Try as I might, I could not get anything to work. This is where, in desperation, I attempted to use hashcat to crack the password, but it was pointless, as I suspected.

It was then that I decided to Google "Caoimhe". Google came up with this:

Caoimhe. A fairly common feminine name in Ireland, Caoimhe is pronounced kee-va and comes from the Irish caomh, meaning dear or noble.

So, the key file, whatever it was, had something to do with an Irish woman. Now, I knew about KeePass, but not specifically about the key file itself. Reading about how KeePass used key files gave me a clue. It turns out that you can use arbitrary files for key files. This led me to the conclusion that there was some file being used, almost certainly on the website, that had to do with an Irish woman.

I eliminated the files in the FTP folder and began going around looking for all possible files I could find. Images seemed like a good place to start (plenty of online forums talked about using images for key files), so going from page to page, I basically downloaded every image I could find that had to do with a woman.

To cut a long story short, the carousel on the About Us page is where I finally found an image of a woman with bright orange hair.

Sure enough, downloading the image, and using this as the key file with no password gave me access to the .kdbx file, and I was able to login as the support user.

What's amazing in all of this, is that all I really did was gather information. At no point did I actually need to know what version of a system was in place, or what bugs there were. All I needed were pieces of information.

The truth is, no matter how difficult you may think it is for an attacker to piece information together, if the information can be discovered, it leaves you vulnerable. You need to remain secure for every attempt and every attacker, but an attacker only needs one successful attempt to be able to compromise your security. Every piece of information you expose provides an attacker with a clearer picture of what they need to do. Patching systems, keeping software up to date, and so on are all vitally important, but it means nothing if you don't protect your information.

Dan Mathews

Challenge: Reset Morty's Password

My favourite challenge in the Juice Shop was to reset Morty's password with his obfuscated answer to his security question. As a big fan of Rick and Morty I quickly validated that I'd correctly identified the reference by looking at the product reviews, which are often a little hint. I already had Morty's email from a previous challenge so his security question popped up when I started the 'forgot password' process - "Name of your favourite pet?"

I then wrote a script to list every permutation of 'snuffles' and 'snowball' (the names of Morty's pet dog) with lowercase, uppercase, and leet-speak replacement letters into a csv file, and call the reset-password endpoint using curl with each of the guesses. The script added the result back into the csv so that I could pause and restart the process without losing progress, and wrote full logs of the full API responses in case anything went wrong.

I quickly realised that there was rate limiting on the endpoint, and added a dynamic process into the script to slow its calling rate each time it was locked out, so that it settled on the optimal calling rate without input from me.

I let the process run overnight and woke up the next morning to the celebratory note in my terminal that it had found the answer! It was a very satisfying moment.

When discussing the challenge with colleagues, I realised that I could have randomised the IP passed in the X-Forwarded-For header to bypass the rate limiting. I had a lot of fun writing this script and the rate-limited brute force made the result even more satisfying, but of course, it's great to be aware of this additional element of the solution and to learn about IP randomisation as a result.

Razh Amin

Challenge: Ephemeral Accountant

For this challenge, I tried using burp to send back a 200 response but that didn't work.

Then I tried adding ' before the username, which caused an error in the response tab of the inspect tools, and from that, you could see a query:

SELECT * FROM Users WHERE email = '' acc0unt4nt@uice-sh.op' AND password = '098f6bcd4621d373cade4e832627b4f6' AND deletedAt IS NULL

Then using the database schema I created a union SQL and repeated in burp till I got as follows:

' UNION SELECT * FROM (SELECT 21 as 'id', '' as 'username', 'acc0unt4nt@juice-sh.op' as 'email', 'testPass' as 'password', 'accounting' as 'role','' as 'deluxeToken', '127.0.0.1' as 'lastLoginIp', 'default.svg' as 'profileImage', '' as 'totpSecret', 1 as 'isActive', '2021-06-05 11:04:10.111 +00:00' as 'createdAt', '2020-06-05 11:04:10.111 +00:00' as 'updatedAt', null as 'deletedAt')--

Finally, we got the authentication token:

{"authentication":{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjEsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJhY2MwdW50NG50QGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiJ0ZXN0UGFzcyIsInJvbGUiOiJhY2NvdW50aW5nIiwiZGVsdXhlVG9rZW4iOiIiLCJsYXN0TG9naW5JcCI6IjEyNy4wLjAuMSIsInByb2ZpbGVJbWFnZSI6ImRlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIxLTA2LTA1IDExOjA0OjEwLjExMSArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIwLTA2LTA1IDExOjA0OjEwLjExMSArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2MjI4OTIzOTgsImV4cCI6MTYyMjkxMDM5OH0.mZjqeEuc2O_zaf-dsz5wpNP48i1v6QM36QI3WKDM5JMDJL5UymX-0XevqYeulxLIz22IDmkeRp18aydutRl8a2Ep19y8F9yvvbbC6-xieSizvJHq7dhOKEdMcetY6U8JABrlCDipyprShQ_W5LYm9npZ1iqU4IWK6pAmsgUD3FY","bid":6,"umail":"acc0unt4nt@juice-sh.op"}}

TESTIMONIALS

Sathya Senthilnathan
Massive thank you Chris for your efforts in organising the capture flag event. It was a great opportunity for me to learn new things on web security and get my hands dirty with some cool security tools like burp suite. I really enjoyed solving the challenges by exploring many things on web security. Especially thank you for your support in bringing back the website when I have accidentally deleted all the products from the juice shop and was completely stuck.

Tim Gill
I have really enjoyed Juice Shop. It's really fun and educational, plus the competitive element of it is really motivating.

Craig Sefton
The thing I found most interesting about the OWASP Juice Shop was what it taught me in general about security: all you need is someone with time and determination, and they can begin to acquire the knowledge they need to penetrate a system. Every piece of information gained about a system is like "leveling up": it allows you further access to further information. Coming into it, I would've thought that protecting your system from a technological perspective - upgrading software, patching vulnerabilities - was key. However, what I really came to appreciate was how equally important it was to try protect the information about your system, including the people who use it or build it.

Dan Mathews
The juice shop has been truly eye-opening. As a relative newcomer to the Engineering world I was only aware of a fraction of the avenues that an attacker has available to them, and yet I was able to explore this new world at my own pace by taking advantage of the introductory challenges to build my confidence, and then progressing to the more advanced challenges when I felt comfortable. The extended descriptions and hints online were also invaluable, and it was possible to navigate them without stumbling across any spoilers.
I must say that it's been an absolute pleasure to see Chris' longstanding passion for cyber security finally find expression at Eagle Eye. By choosing such an engaging format he has brought to life so many key concepts for keeping our company and our clients safe, and his technical implementation and encouragement in the challenge has been outstanding. I'm looking forward to the next project!

CONCLUDING REMARKS

Our Capture the Flag competition has been a great success. People soon became drawn in and found themselves hacking away late into the evening to capture those elusive flags.

Acting as hackers in this safe environment has given people a different but necessary perspective on Web Application Security – the perspective of the hacker – and this is far more insightful than any course or presentation could ever be.

Thinking like a hacker is not just a technical mindset, it delves into the psychology of everyday people to catch them off-guard. Security requires a vigilant mindset, and this Capture the Flag activity has created a buzz around the business, inspiring all sorts of conversations about security and has been an important bolt-on activity to all our formal security conventions we apply at Eagle Eye.

We will do more of this in the future and would encourage every software company to think about fun activities like this to create a security-conscious culture.

View full post