Intigriti - Spot the Vulnerability Challenges

Upon completing this challenge at Defcon 32, I received a challenge coin as a prize.

Here is the link that you can use to follow along: Spot the Vulnerability

Challenge #1

For this challenge, you need to understand couple things. Some are client/server request, python, and a bit about how the web works.

From upon inspection of this challenge, we can see its has to do with MFA.

Now as someone who is new to this kind of exposure, I would jump straight in and say it is an MFA vulnerability. However although it is correct, there is a bit more to this. One of the member at the con ask to explain how the vulnerability works. So I will do my best to recall this.

In order to get the flag, we need to look at the function. We can see the session id = the cookie. One step down, we can see if the session id and the user id is true AND the session of the enforce mfa is false, we will get the flag. We go to how the login works.

We can see that username and password is the default credential of admin:admin. We can see that when you log in, the enforce mfa with authenticate the sid and set it to true. Then it will redirect to a different path to either /mfa and /account. So I will like to say beforehand I am still new to this, and trying to understand it my own way. It may not be entirely correct approach but bear with me. I am sure there is an easier thought-process to this challenge.

Ignoring the redirection we scroll all the way down to the function def auth(sid)

So first, the user needs to login as admin, mfa must be true, and enforce_mfa must be false.

So we can see the user id is being stored into the session, and whatever the code will set the enforce_mfa to false in the route to /mfa. But it looks like that the situation so it will set enforce_mfa to true. So how do we go about stopping that.

So what happens when you add a breakpoint between the session[sid]['code'] and sessions[sid]['enforce_mfa]?

Well it is possible we can interrupt the flow of the code, and the web will response and let us in as it may take to long to complete sessions[sid]['enforce_mfa]. However it may not be enough. So what we need to do is send a ton of request packet to the server as admin, to login and bypass the enforce_mfa.

In Burpsuite, you can use the 'Repeater', craft a single packet, and do the same thing. With this we made sure the session and user is true AND ensure enforce_mfa = false, which will get us our flag.

Note: I had a bit of a hard time with this challenge, so if there is some inconsistency, please let me know and how the best way to approach this in a different manner. I would greatly appreciate it and want to learn and understand better at looking at vulnerability.

Challenge #2

I feel this challenge is a bit easier, as I have down a CTF with JWT token in the past. That got me thinking of what were the vulnerability that would given me the flag. Ignore the login part as that is probably going to throw you off. Just now you got to log in as admin. By manipulating the JWT we can login in. However we look at these two function.

First this first, RS256 is an asymmetric algorithm, and it uses a public/private key pair: the identity provider has a private (secret) key used to generate the signature. I had to look it up as I don't think I have seen RS256. But essentially to alter the JWT token we need to sign it. But we don't have the private key. I do know HS256. What if we alter the token to be sign as HS256?

I believe HS256 only needs one secret key and it is shared between two parties. By doing so it meets the requirement for the above, which will get us in.

However the is unintended method, that I had a discussion with one of the Intigriti staff member. He told me that he didn't realize it until later on. But there is another algorithm that you can use that works. Can you guess what that is? If you say the algorithm is None, you are correct.

Summary:

Over I had fun, I learn a lot, it got me to thinking a bit more of how to look at web vulnerability. It showed me my weak points. I will be continue to better improving my mindset looking at things, improve interpreting and explaining things. I hope this proves helpful to those reading this.

Please feel free to provide criticize in ways I can improve and perhaps how I should go about this in a better way. I am always striving to grow.