(web) LEENODE [250]

Description

http://203.66.57.98/

Hint

(none)

Solution

WriteUps

  • https://github.com/ctfs/write-ups/tree/master/hitcon-ctf-2014/leenode

My Notes

  1. When failing a login, you are presented a page that says Apache/2.0.65 (Unix) JRun/4.0 Server.

  2. When looking for JRun vulnerabilities, there are things like CVE-2004-0928.

  3. The vulnerability says that you should be able to access a page like http://203.66.57.98/a;.jsp in order to see the jsp source, but you can tell this error page is handled by apache.

  4. However, you can use a double escaping trick. http://203.66.57.98/a%253b.jsp

  5. Apache blocks attempts to read .htaccess.

  6. JRun apparently accepts ’' as a slash operator, so we can use a url like the following to read .htaccess and .htpasswd:

http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp

Apparently Apache hands this off to JRun because it ends with .jsp, and JRun is fooled by the ’'. This lets you read the .htaccess and .htpasswd files.

  1. Also, apparently forward slashes can be double encoded and they will be passed to JRun as is:

http://203.66.57.98/admin%252f%252ehtpasswd%2500.jsp

In the above url, it also looks like they are appending %25%00.jsp to the end of the file. I think there is a separate exploit that works for this.

  1. The .htpasswd file can be cracked with John.

Takeaways

  • If a funny/old web/application server is being used, check for vulnerabilities.

  • 500 errors are often returned by Apache.

  • Check for double encoding errors. (For instance, ‘;’ actually double encoded as ‘%253b’ instead of ‘%3b’. Also ‘/’ being double encoded.)

  • I guess there are some web/application servers that will accept a backslash as a path name. Check for this as well: %5C

  • Also embedding %00 in urls. In this challenge it is actually double encoded.

  • Check for .htaccess files. Getting a .htpasswd file basically means you can crack it with John.