TYS 0x02 - PHP in 2019?! Are you insane!?
There is a reason for everything!
PHP was one of the first web-specialized languages (created 1994) broadly used. Even today, 25 years later, PHP is powering at least parts of most of the web based applications on the internet (~80% - check https://w3techs.com/).
PHP is a language with many faces. In this challenge you might get to know a new one - if you like it or not.
In this challenge you are facing the SuperAwesomeAPI! This API has been developed in PHP, implements a key based authentication and provides authorized users with system monitoring capabilities. The scope of this assignment is as follows:
- Perform a code review and identify any weaknesses in the API esp. around the authentication and input validation
- Perform a penetration test simulating a real attacker with the following goals:
- Circumvent the authentication or find any way to remotely call the exposed API functionality without having a valid API key
- Identify and exploit any weaknesses in the input validation in order to execute non-white-listed commands
- If the above was possible, demonstrate (by writing a PoC exploit) the attack chain resulting in a reverse shell which connects back to a given IP and Port granting shell access on the target machine
- You get full access to the code - read it, debug it, do whatever you want to get the job done
- For the final task (the PoC exploit/demo) no manipulation of the code or any files involved is allowed; your PoC exploit needs to run against an untampered/unmodified version of the API
OK. Let’s get cracking!
First you need the actual code and supporting files to run the SuperAwesomeAPI. Download the static files and run them like follows:
Have fun hunting, feel free to post your approach / write-up and let me know if you have any questions, feedback or general comments in the respective twitter thread over here:
Verify the files you download with:
md5sum b017c84c521da7c5c6d499a1fc11b8ea cdn/tys/tys_0x02_files.tar.bz2 sha1sum cca966dedde429860c3b43c6cc6bb1ad3a62b975 cdn/tys/tys_0x02_files.tar.bz2 sha256sum 7a32a63b49bdb4596492d44213554a2a08be28389222ef4995c649d2106bb590 cdn/tys/tys_0x02_files.tar.bz2