I recently attended my first hackathon called the Greater Central Florida Technology Fair or more better known as HackStetson. There was BSides Orlando and the Engineering Expo occurring at the same time, which meant that there was no one from my university heading to the event. I simply tried looking around for different groups to join and found a few students from UCF to join. They technically already had a full team and had divided up the tasks amongst themselves, but there was many other activities planned as well so it was not that much of a problem. There was one activity in particular I was interested in which was the Capture the Flag competition which was sponsored by Apple.
It started a few hours after the hackathon did, so I was working with the team to setup the development environment. The idea they had come up with was a web app that would provide people with a list of things to do in their city in all types of weather, that would be crowdsourced. They had decided to use Laravel which was great news to me as I personally really love the framework and have a lot of experience with PHP.
However none of them had setup the environment before hand so we were all working on that, and I was trying to install docker on Windows 10. I decided to switch to my Linux partition after finding out that Docker on Windows would not allow Virtual Box to run which to me was more important. However one of the teammates had trouble getting docker to run on his computer as the feature to run it on Windows needed the Professional version (which I had) but he did not. I ended up deciding to create a temporary Digital Ocean droplet with everything set up for him, and he would just sync it using Filezilla. Then the CTF started and we were briefed on how it was going to work and the rules of engagement. The apple representatives seemed pretty weary about the entire thing, but they told us it was a web application we would be attacking that was written in Java, and to visit a specific webpage (that was hosted on AWS) and you would need to register an account and then visit the flags page which would tell you the locations of the flags.
I followed the instructions and part of it was to run docker (how convenient!) and have an image from the site setup that would run a "user agent" in the background of your computer every 5 minutes. Since the website was so simple I thought that the user agent was a special browser of some sort that could view the rest of the site, as all you could do was make "hosts" and if you got the UUID and put it in the script it would allow you to view your free disk space and the JVM cache size on the interface. I later learned after asking a few questions that the "user agent" was just a cron job for a Java program and you were supposed to look at how it operates, heavily hinting that you should decompile it. I saw the first flag was the "tag" field for a specific host box on the administrator's account, and the tags were simply UUIDs from my observations. It said that the Adminstrator user would search every 5 minutes for all the hosts that start with ADMIN_ and then view the details for each box, so I knew from my previous experience with picoCTF in high school that I was dealing with a blind cross-site-scripting (XSS) attack.
Once that realization came upon me I immediately had my strategy in place. Instead of decompiling the program (which in hindsight I should've done first) I used WireShark to view the traffic provided by the cron job. I saw it would make a POST request to an API URL that was essentially to update the host with the preconfigured tag. It would provide what appeared to be a base64 encoded payload, and I tried decoding it and got some ASCII gibberish and some strings such as the sizes for the disk space and cache. I knew I was close but I didn't know what was the gibberish about, then we were called into another meeting with the Apple team where they went into a bit more detail on how to get the first flag, and pointed out how I was the closest one to getting it. I then went crazy about getting the flag since I knew now everyone else had some idea of how to get it as well but I still wanted to stay in the lead. I then realized the gibberish I saw was because it was binary and it was a Serialized Java HashMap. I had tried just submitting new information in the place of the old, but it was breaking with the binary in the mix. Now armed with this I tried creating my own program to do it, and it finally dawned on me that I was making it too hard for myself.
Instead I finally got around to decompiling the cron job which took some interesting tricks to getting it out of the docker image. Which I was trying to avoid, but getting the code was a big help since it essentially was my boilerplate to inserting the XSS payload. And since its a serialized object I knew that there was an attack vector into the machine from that. I then tried inserting a simple javascript alert() script and it miraculously worked! I then looked online for scripts to catch the cookie, I had an old one but I had forgotten how to use it, as the last time was during my sophomore year of high school. I was viewing a bunch of them until I found one I liked that also provided a useful little snippet to submit as the payload... but it was a javascript redirect. I figured it wouldn't be a big deal since it was a script acting as the admin, so no person would actually find out. I put in the payload and after a few escaping issues were cleared up it worked!
However the redirect turned out to be a big deal as there was a Discord chat we were supposed to use and the main coordinator said that making a redirect was considered "destructive" and that whoever did it (they didn't know it was me yet) must fix it as soon as possible. I confessed immediately once I realized it was a problem and also said how I got the flag, and they instructed me to PM them with it. I simply ran the docker image again for the same tag and it overwrote the payload with the regular innocent data. However I was taken aside and told that it was considered against the rules and was given a stern warning that if it occurred again I would be disqualified. I said I wasn't planning to have bad intent, but that I was just in a rush and thought the "quick and dirty" way wouldn't hurt anyone. However the Apple employee told me that the Selenium bot they were using was being redirected, and then would return to the webpage to get redirected again... putting it into a loop and eventually crashing the server it was running on. Fortunately it was obviously separated from any production stuff so I only made the game server temporarily unavailable, but after I treaded much more carefully as I was afraid of the unintentional damage I could do.
The Apple people took me aside a few more times saying that they were impressed with my work even considering I did damage the server in the process, and asked my thought process through the entire thing. They asked me what was my next move and I said I wanted to try to figure out an attack vector through the serialized object. However the Apple employee then told me to instead run nmap and other vulnerability scanners against the server. I am not the sharpest at nmap scans so I totally missed what they were nudging me to which was an open redis server.
Around this time there was a minigame that was called !light or "no light" and the task was to find a popular website and then copy the design from pure CSS and HTML with no outside aids like Google or anything. I suggested the Berkshire Hathaway website which got some laughs but then we ended up going with Weebly.com instead. There were some in the group that were pestering the people overseeing it to allow them to search at least, and they caved in and allowed it, but as the saying goes "give an inch and they'll take a mile" some of the people ended up copying CSS snippets or straight up using Bootstrap. I did use Google but didn't take any snippets or libraries, I was using various CSS references to just make sure the stuff I was doing would at least show up as valid CSS. One of the people that used a template obviously won but I felt like it was against the spirit of the game, but it was a minor prize.
I go back and try to help my team with some of the development for the weather app project. I remember at this point I made some basic models and controllers but didn't really contribute much, and it was nearing like 1 AM when they had the Data Science Jamboree. The Jamboree was a mini challenge in where you took these simple flat datasets they gave you and you had to do some calculations or represent the data in some specified manner. I did the Elon Musk challenge which was a CSV file with retweets from Elon Musk, and you essentially had to tally up and display the total retweets of each twitter handle. I used the builtin csv library and python dictionaries to count, and I attempted to make a bar graph in matplotlib but it did not go well.
At this point I'm exhausted and I decide to call it a night and go to the sleeping area and went to sleep for about 5 hours waking up around 7 from the cold. Since many people left overnight but the air conditioner was set to the estimated occupancy for the full event, it got super cold. I tried doing the second flag and I thought I was supposed to attack it directly through some exploit. I was still very tired at this point and just shifted over to helping the team wrap up and get a display-worthy version of the project. Then the CTF concluded and they announced the winners, apparently another participant obtained the first flag while I was asleep and also found the second flag. There was an error handler that was built using the redis server, and everytime something invalid occurred it would generate a UUID and display the stack trace and store in XML on the redis server. Overwriting this with an XML Remote Entity attack (XXE) allowed you to obtain the second flag which was a file only readable by the program user.
The third flag was from the original idea I had (the Apple employee didn't want me to skip steps!) of the serialized object attack. There was a GitHub project called Why So Serial? that would provide a premade serialized payload to run on the server to obtain a shell. Which was great but the last file was readable only by the root user. However the web application was run in docker and the program user then was a part of the docker group... Essentially you could create a new basic Linux docker image of your favorite distro, and mount the root file directory as a volume within the image. The image doesn't care about the outside file system permissions and since you are root within the container you are then allowed to read the flag. No one got the last flag.
I was surprised when they decided to name us both winners and essentially "tie" us for the main prize, an interview with Apple. I also received a shirt from them that said "crazy one" with the stylized Apple logo for the O in one, which was pretty nice. In the awards ceremony we won the best "first time hackers" as we were one of the few teams that had not been at any hackathons previously. In addition I won by default for the data science jamboree, and got a free 1 TB external hard drive. Overall I loved the experience and it inspired me to go to more hackathons and get more serious about participating in CTFs.