SecurityFirst Competition v2.1
Competition Information .............................................................................................................................. 1
Background ............................................................................................................................................... 1
Objectives ................................................................................................................................................. 1
Rules .......................................................................................................................................................... 2
Reference ...................................................................................................................................................... 3
Users ......................................................................................................................................................... 3
Goals ......................................................................................................................................................... 3
Walkthrough ................................................................................................................................................. 6
Forward ..................................................................................................................................................... 6
Section 1: Gaining Access to the Database .............................................................................................. 6
Section 2: Logging In As a Customer ........................................................................................................ 7
Section 3: Stealing the Money ................................................................................................................. 8
Section 4: Leaving a Mark ........................................................................................................................ 9
Competition Information
Background
This competition is a reincarnation of previous efforts at UNCC to provide students with an
engaging, hands-on test of their knowledge. An older project, CyberWars, was used for years as a
final project in Vulnerability Assessment and System Assurance to test student’s knowledge of
network and operating system security. However, when the decision was made to split the
course into two separate classes, one of which focusing specifically on web-based vulnerabilities,
a replacement competition was needed. Although the initial iteration of SecurityFirst was too
simple and unrealistic, inspiration was drawn from UCSB’s annual International CTF competition
in 2008. Using those design ideas as a starting point, construction of this version of SecurityFirst
began.
Objectives
The overarching objective presented to contestants of this competition is to be the first to log in
as a financial manager and transfer funds between the two specified accounts. In order to do
this, contestants must find and exploit various web-based vulnerabilities as they work toward
their ultimate goal. As a secondary objective, each vulnerability discovered and successfully
exploited earns them points.
By default, the accounts for the transfer are listed below. The amount transferred is unimportant
and any number will be fine as the transfer is only simulated.
Source account:
Destination account:
109762820
110806729
During the competition you may need to crack MD5-hashed passwords you find. A script,
md5crack, has been provided for attempting to brute-forcing crack MD5 password hashes. Simply
enter "md5crack" in a terminal to see the help guide with examples. Because brute-forcing can be
a long and time consuming process, the following hints are given:
1. One of the users has a weak password that is no longer than 3 characters.
2. His or her password contains lowercase letters
Use these hints when running md5crack. Remember, cracking a password isn't the only way into
an account. Good luck!
Rules
1. The scope of the competition is discovering and exploiting web-based vulnerabilities of the
SecurityFirst web application. Contestants are urged to use the phpMyAdmin and
SquirrelMail web applications where applicable, but attacking these is against the rules.
2. Outside the use of the provided password cracking tool, brute-force tools or methods are
forbidden. Running scripts to attempt to log into any services will be considered an
attempted denial of service attack and the contestant will be penalized or disqualified.
3. The competition application is designed for use with multiple concurrent users and should
not allow cross-contestant attacking. However, directly attacking other contestants by
means outside of the web application is prohibited.
4. Periodically judges may ask for you to demonstrate a vulnerability that you previously
exploited. This is not social engineering; this is normal.
5. Developing exercises like this one is very time consuming and many times the same
competition is used multiple semesters, so please do not disclose vulnerabilities or hints to
others.
Reference
SecurityFirst Users
Username
tdunlin
khill
smaslov
fsmith
xwang
rscott
Password
G7qD3!Lv
1cDz@oni
Ix0nW!Nr
red
y@k6cQtj
H9c!pJ6b
Name
Thomas Dunlin
Kaitlin Hill
Sonya Maslov
Frank Smith
Xu Wang
Roger Scott
MySQL Users
Username
login_manager
competition
root
E-mail Address
tdunlin@fakemail.com
khill@fakemail.com
smaslov@fakemail.com
fsmith@securityfirst.com
xwang@securityfirst.com
rscott@securityfirst.com
Secret
Grant
Craig
Panin
Dunn
Zheng
Heifner
Role
Customer
Customer
Customer
Site Admin
Site Admin
Financial Manager
System/Email Users
Password
23sk!d0o
H4v3fo0n
Sunr!se49ers
Username
hacker
sfadmin
Password
1234
Sunr!se49ers
Goals
ID
100
101
102
103
110
111
112
113
120
200
201
300
310
400
Location
/site/login.jsp
/site/login.jsp
/site/login.jsp
/site/login.jsp
/site/faq.jsp
/site/faq.jsp
/site/faq.jsp
/site/faq.jsp
Database
/customers/editcomment.jsp
/customers/editcomment.jsp
/secure/siteadmin/index.jsp
/secure/siteadmin/active_users.jsp
/secure/financial_manager/
transfer_funds.jsp
Type
Source Code Disclosure
SQL Injection
Insecure Authentication
Cross-Site Scripting
Source Code Disclosure
Directory Traversal via Filter Evasion
Filter Evasion
Denial of Service
Insecure Cryptographic Storage
Request Variable Manipulation
Cross-Site Scripting
Weak Password Hash Cracking
Session Hijacking
Weak Password Management Policy
Points
10
25
30
45
10
25
20
60
25
15
10
30
35
75
Total: 415
100
By removing one or both of the POST request variables (“username” and “password”), an unhandled exception is thrown. The result of this NullPointerException is the displaying of a small
portion of the relevant page code via a standard Tomcat 500 Error page. The benefit of the
displayed code is to learn the location of the include file that contains the database connection
credential information. This should be used in conjunction with Goals 111 and 112.
101
This is a simple SQL Injection vulnerability that allows a user to enter a basic login bypass SQL
Injection (e.g. ‘ OR ‘a’=’a) in order to login as a user. More advanced injections will allow the user
to attempt to log into a specific user and not just the first in the database. This will only allow
access a customer’s account and not to a higher-privileged account (admins and managers must
log in through the /secure/login.jsp).
102
Because the login page simply hashes the password without any salting before sending it to the
server, a password hash found in the database could be replayed with a tool like Tamper Data
that modifies POST request variables after the form submit takes place. This requires successfully
gaining access to the MySQL database. If real victim users were using this web application on
your network, it would be possible to obtain a hash by packet sniffing their login attempts.
103
Upon failing to correctly log in on the login page, users are informed that their activity has been
logged. This log is viewed by site admins at /secure/siteadmin/logviewer.jsp. The log entries for
failed log-ins contains the username of the attempted log-in and because these are neither
filtered nor encoded upon entering into the server or being displayed on the log viewer page, this
allows for an XSS or XSRF injection point.
110
By removing the “topic” URL variable, an un-handled exception is thrown. The result of this
NullPointerException is the displaying of a small portion of the relevant page code via a standard
Tomcat 500 Error page. The benefit of the displayed code is to learn the input filtering code to
more easily find a way to evade it. This should be used in conjunction with Goals 111 and 112.
111
The “topic” URL variable’s value is filtered to replace any instance of “../” with a blank string to
prevent directory traversal. Because this process is not recursive, by using “….//” the filter will
remove the inner-most “../” and leave the remaining “../” intact. This should be used in
conjunction with Goal 112.
112
The “topic” URL variable’s value is appended with “.html”. By placing a question mark at the end
of the original variable’s value, the appended “.html” appears to be part of the query portion of
the included URL (e.g. “index.jsp?” becomes “index.jsp?.html”).
113
By instructing the FAQ page to include itself, an infinite loop occurs as the server tries to
continuously nest pages. This causes a denial of service and with multiple threads started on this
process, the server will crash quickly.
120
The “users” table in the MySQL database stores the secret (mother’s maiden name) in Base64
format. This is used to verify that the forgotten password restoration request is coming from the
account owner. Because Base64 is just an encoding method and not encryption or hashing, any
user with access to the MySQL database can decode the secrets easily and are able to reset the
password and have the new one sent to the owner’s e-mail. This alone will not allow access to
the account since contestants do not have access to the account owners’ e-mail inboxes.
200
By modifying the “id” variable when attempting to edit a comment for a transaction, a user is able
to post the comment for any transaction. Essentially, the “id” variable is not checked to verify
that the user actually owns the transaction it is associated with.
201
The transaction comments are neither filtered nor encoded upon entering into the server or being
displayed on the transaction page. This allows for an easy XSS or XSRF injection point.
300
The only method of initially gaining access to the /secure/siteadmin/ area of the site is by loggingin through the /secure/login.jsp with correct site admin credentials. In order to do this, one
needs the username and password. The username is easily obtainable after the contestant has
gain access to the MySQL database, but the password hash must be cracked. The contestant
must run the password hashes through a password cracking tool or an online rainbow table.
310
The active_users.jsp page shows a list of all sessions active, including username, e-mail address,
role, and last activity time. Session IDs are shown as well, but our censored for contestants to
prevent cross-contestant hacking and cheating. One user “rscott”, a financial manager, is hardcoded to always have an active session. By modifying their session cookie to the session ID listed
for rscott, contestants can gain access to the financial manager’s already logged-in account.
400
There is technically no vulnerability on this page, but in order to successfully transfer funds, the
manager account’s password must be re-entered and thus known by the contestant. To gather
this information, contestants must first gain access to the manager’s account using Goal 310,
change the e-mail address to their own, log out, and then use the “forgot my password” feature
(Goal 120).
Walkthrough
Forward
This guide assumes that you are using the SecurityFirst distributed VM and have made no
modifications to any part of the system. This includes web applications, databases, and client
configurations. Because the scores and database system are persistent through reboot, it is
preferable to make a “clean” copy or snapshot of the VM before beginning to work on the
exercises.
To get started, log into the operating system with the username “hacker” and password “1234”.
Once logged in, open Firefox and navigate to the SecurityFirst website using the provided
bookmark. If prompted, enter your name to track your score.
Section 1: Gaining Access to the Database
Goal 100: Source Code Disclosure #1
1. Log out if you are already logged in as a user.
2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
3. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
4. In the login form on the page, type a few letters or numbers into both the username and
password field and click ‘Submit’.
5. Tamper Data should pop up and ask you what action you would like to take. Uncheck
‘Continue Tampering’ and click the button label ‘Tamper’.
6. On the right side of the following window, right-click on the either username or password
and select ‘Delete Element’.
7. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This
should display a Tomcat error page with a portion of the JSP page’s code shown.
8. Note the include statement for file “includes/database_info.jspf”.
Goal 110: Source Code Disclosure #2
1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left
side of the page.
2. Modify the URL in the address bar so there is no longer a parameter named “topic”.
3. Press Enter after modifying the URL to request the new page. This should display a
Tomcat error page with a portion of the JSP page’s code shown.
4. Note the String replace function that removes any occurrence of “../” from the “topic”
parameter.
Goal 111 and 112: Local File Inclusion via Filter Evasion
1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left
side of the page.
2. Modify the URL in the address bar so the “topic” parameter is set to:
....//index.jsp. The URL should be: faq.jsp?topic=....//index.jsp
3. Press Enter after modifying the URL to request the new page. This should display an
error message stating that “/site/index.jsp.html” could not be found.
4. Modify the URL in the address bar so the “topic” parameter is set to:
....//index.jsp?. The URL should be: faq.jsp?topic=....//index.jsp?
5. Press Enter after modifying the URL to request the new page. This should display the
index page nested inside of the FAQ page.
Putting It All Together
1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left
side of the page.
2. Modify the URL in the address bar so the “topic” parameter is set to:
....//includes/database_info.jspf?
3. Press Enter after modifying the URL to request the new page. This should display the
contents of the database include file.
4. Note the database username and password.
5. Using the Firefox bookmark, navigate to phpMyAdmin
(http://securityfirst.com/phpmyadmin/)
6. Log in with the username and password you just discovered.
Section 2: Logging In As a Customer
Goal 101: SQL Injection
1. Log out if you are already logged in as a user.
2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
3. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
4. In the login form on the page, type a few letters or numbers into both the username and
password field and click ‘Submit’.
5. Tamper Data should pop up and ask you what action you would like to take. Uncheck
‘Continue Tampering’ and click the button label ‘Tamper’.
6. On the right side of the following window, change the contents of the ‘password’ textbox
from the MD5 hash to the following: ' OR 'a'='a
7. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This
should log you into the first user in the database, Thomas Dunlin.
Goal 102: MD5 Hash Replay
1. Log in to phpMyAdmin using the method at the end of Section 1.
2. On the left menu, choose the SecurityFirst database, followed by the ‘users’ table.
3. Select “Browse” from the list of tabs at the top of the page.
4. Note the list of users displayed below, along with their password hashes and other
information. Pick one of the users with a “role” of 0, and copy their password hash to
your clipboard.
5. Return to the SecurityFirst web application or open it in a new window or tab.
6. Log out if you are already logged in as a user.
7. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
8. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
9. In the login form on the page, type a few letters or numbers into both the username and
password field and click ‘Submit’.
10. Tamper Data should pop up and ask you what action you would like to take. Uncheck
‘Continue Tampering’ and click the button label ‘Tamper’.
11. On the right side of the following window, change the contents of the ‘username’ textbox
to the username of the chosen user account from the MySQL database in step 4. Also
change the ‘password’ textbox to the password hash of the chosen user account. If you
copied this data to your clipboard you can simply paste it.
12. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This
should log you into the customer account you chose.
Section 3: Stealing the Money
Goal 300: Weak Password Hash Cracking
1. Log in to phpMyAdmin using the method at the end of Section 1.
2. On the left menu, choose the SecurityFirst database, followed by the users table.
3. Select “Browse” from the list of tabs at the top of the page.
4. Note the list of users displayed below, along with their password hashes and other
information. Copy the password hash of “Frank Smith” to your clipboard.
5. Open a terminal and type the following (replace with the hash in your clipboard
by right-clicking on the window and pasting): md5crack a 1 3
6. Press enter to begin the cracking process.
7. When the password is found, go back to the SecurityFirst login page and log out if
needed. Login as “fsmith” using the password. After you are redirected to the secure
page, do the same again.
Goal 310: Session Hijacking
1. Navigate to ‘/secure/siteadmin/active_users.jsp’ by clicking the “Site Administrative
Panel” button at the bottom-right of the page, followed by the “Active Sessions” link.
2. Copy the Session ID of “rscott” to the clipboard.
3. On the Firefox toolbar, select Tools, followed by Cookie Editor.
4. Find and select the JSESSIONID cookie for the host “securityfirst.com”. Click the “Edit”
button to modify the cookie.
5. Remove the contents of the “Content” text box and paste the Session ID you copied into
the box. Click “Save”.
6. Close the Cookie Editor window.
7. Refresh the current page or navigate to another.
8. Note that you are now user “rscott”.
Goal 120: Insecure Cryptographic Storage
1. As user “rscott”, click “Change E-mail Address” on the right-side menu.
2. Enter “hacker@hacker.com”. Click “Submit” to change the email address.
3. Click the “Logout” button on the right-side menu.
4. Log in to phpMyAdmin using the method at the end of Section 1.
5. On the left menu, choose the SecurityFirst database, followed by the users table.
6. Select “Browse” from the list of tabs at the top of the page.
7. Note the list of users displayed below, along with their password hashes and other
information. Copy the Base64 encoded secret of “Roger Scott” to your clipboard.
8. Press F9 on your keyboard to open the HackBar extention in Firefox. Click the “Encoding”
menu button, followed by the “Base64 Decode” item.
9. In the window that appears, remove “String to use” from the textbox and paste the
Base64 encoded secret you copied previously. Click the “Ok” button.
10. The resulting string is placed in the HackBar textarea. Select and copy it to the clipboard.
Goal 400: Weak Password Management Policy
1. Return to the SecurityFirst web application and navigate to ‘/site/index.jsp’. Ensure you
are logged out.
2. Under the login form on the right-hand side of the page, click the “here” link.
3. In the form provided, enter “rscott” in the username textbox and paste the decoded
secret into the “Mother’s maiden name” textbox.
4. Click “Submit”. A message should appear, informing you that a password reset mail has
been sent to the account owner’s e-mail address.
5. Using the Firefox bookmark, navigate to SquirrelMail (http://hacker.com/mail/)
6. Login as “hacker” as the username and “1234” as the password.
7. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’. Enter the username as “rscott” and
paste the password you received into the password textbox. After you are redirected to
the secure page, do the same again.
8. Navigate to ‘/secure/financial_manager/transfer_funds.jsp’ by clicking the “Financial
Manager’s Panel” button at the bottom-right of the page, followed by the “Transfer
Funds” link.
9. Enter “109762820” and “110806729” into the source account and destination account
textboxes respectively. Enter any positive number into amount textbox, 500.00 for
example. Paste the password for “rscott” into the password box. Click the “Submit”
button to transfer the funds.
Section 4: Leaving a Mark
Goal 201: Cross-Site Scripting
1. Log in as a customer-role user using a method from Section 2.
2. Navigate to ‘/customer/editcomment.jsp’ by clicking the ‘View Recent Transactions’
button, followed by the ‘details’ link for one of the transactions, and finally the ‘edit
comment’ link.
3. In the textbox on the page, enter alert("hi") and click
‘Submit’.
4. When the transaction page loads, you should see an alert box appear.
Goal 200: Request Variable Manipulation
1. Log in as a customer-role user using a method from Section 2.
2. Navigate to ‘/customer/editcomment.jsp’ by clicking the ‘View Transactions’ button,
followed by the ‘details’ link for one of the transactions, and finally the ‘edit comment’
link.
3. On the very bottom-right edge of the Firefox window, click the icon that resembles a bug
to open the FireBug pane.
4. Click the “Inspect” button at the top of theFireBug pane. With the Inspecting option
toggled on, click the comment textbox on the page.
5. Find the following line in the FireBug pane (the number may be different).
6. Click on the “?id=1” portion of the textarea. In the mini-textbox that opens, change the
number to another number (higher than 4). Press “Enter” to close the mini-textbox.
7. Click the FireBug icon on the bottom-right of Firefox to close the window pane.
8. Click the “Submit” button on the page.
Goal 103: Log Poisoning
1. Log out if you are already logged in as a user.
2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
3. In the login form on the page, enter alert("hi") into the
username field and click ‘Submit’.
4. Click the ‘Ok’ button at the bottom of the window to submit the tampered request.
5. If this is your first time scoring this goal, enter ‘/secure/siteadmin/logviewer.jsp’ (no
quotes) in the goal score page to answer the question correctly. Submit the form.
6. Log in as a siteadmin-role user using the password discovered for Goal 300 in Section 3.
7. Navigate to ‘/secure/siteadmin/logviewer.jsp’.
8. When the transaction page loads, you should see an alert box appear.
Goal 113: Crashing the Web Server
1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left
side of the page.
2. Modify the URL in the address bar so the “topic” parameter is set to:
....//faq.jsp? The URL should be: faq.jsp?topic=....//faq.jsp?
3. Press Enter after modifying the URL to request the new page. This should display three
nested FAQ pages.
4. Note if this was unchecked, the server would continue processing this until it ran out of
memory and crashed.
Purchase answer to see full
attachment