Welcome to ambakari
If you are wondering what this is all about check out my previous post on this CTF challenge.
This bakery makes some very exclusive paistries. Normal customers cannot see what it is, but Adminmann definitely can.
Recon
First we need to do a bit of recon, that is gather information. This people sometimes find the most boring part of hacking but others love it. I’m in between them so I like going through it but when I see something shiny I want to do that rather then the recon, leaving often to messy notes but I’m just finding my rythem.
- First we look at the challenge webpage gives us the user of Testman Testmansson and then the information for Adminmann Adminmannsson that is kennitala (ssn).
- Secondly we read the blog.
- Then we can look at the code and compare vulnerabilities to the code (see bottom of each challenge you open).
- Then of course we do is open up Burp Suite, which I can use to view all the calls made from my computer and a the target and manipulate them. The tool is free to use but has features that are hidden behind a paywall we do not need for this CTF.
- Now we browse the target ambakari, not much to see but there is a login page which many Icelanders know. We can login as provided user Testman Testmansson and see there is a restricted section we want to peak at.
You can do this in any order but it’s important to note that sometimes information is not just on the target it self and we need to explore different angles to get valuable recon information.
Spoiler Alert!
I’ve made following collapsible so you don’t see anything accidentally. If you plan to do the challenge, look away now and come back when you’re done. Or, if you get stuck, you can always take a peek… I won’t tell! 🙊
🕵️♀️ Racon results 🕵️♀️
We have some user information, we are given the user of Testman Testmansson and then the information for Adminmann Adminmannsson that is kennitala (ssn).
We know this challenge focuses around SAML so the vulnerability is on that. Most likely it’s one of the vulnerabilities they talk about on the blog.
We found a SAML token in the POST call when login in which we grabbed through burp suite. We know it’s base64 encoded as that is the standard so we decode it. Here I ran into some problems because I could use tools in Burp Suite and online to decode but when I tried to encode it again I would get a different result then the original. Basically I send in ABC got DEF, the send in DEF expecting ABC and got XYZ. So I just made my own little python scripts to do it for me.
Anywho we can see the SAML token as an XML document. We see the message and then the signature. The message contains two thing that we find interesting the name and SSN.
So now lets explore on what we know
🔓 My Solutions🔓
So given the recon information the first thing we could try is simply using intruder or repeater to send in the login POST message with a new token we construct which is basically like this.
- Base64 decode token
- Change information in the token
- Encode with Base64
- In Burp suite replace token with our token and send it off using repeater or intruder.
Now first thing we might try is simply change the kennitala and name of the user and send that off right?
...
<AttributeName="UserSSN"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"FriendlyName="Kennitala">
<AttributeValuexsi:type="xsd:string">9876543210</AttributeValue></Attribute>
<AttributeName="Name"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"FriendlyName="Nafn">
<AttributeValuexsi:type="xsd:string">Adminmann Adminmannsson</AttributeValue>
</Attribute>
...Well that fails because the signature does not match the message…
Next thing we would then do is start to look at what vulnerabilities we could use and often doing the simple thing is a good start so we try the Signature Not Verified(SNV). Basically removing the signature, no signature nothing to check right?
So we update the token once again removing the signature and try to submit that via Burp suite repeater or intercept
We did it, we are in! 🎂 ⛳️ ✅
Just look at the scrumptious cake and our flag that we can use to mark the challenge as completed. If you want to see it yourself you will just have to do the challenge 😉