TYS 0x02 - PHP in 2019?! Are you insane!?
This post is part of the Test Your Skills series. You can find an introduction here. And an overview of all TYS’s currently available is over here.
There is a reason for everything!
PHP was one of the first web-specialized languages (created 1994) broadly used. Even today, 25 years later, PHP is powering at least parts of most of the web based applications on the internet (~80% - check https://w3techs.com/).
PHP is a language with many faces. In this challenge you might get to know a new one - if you like it or not.
Challenge
In this challenge you are facing the SuperAwesomeAPI! This API has been developed in PHP, implements a key based authentication and provides authorized users with system monitoring capabilities. The scope of this assignment is as follows:
- Perform a code review and identify any weaknesses in the API esp. around the authentication and input validation
- Perform a penetration test simulating a real attacker with the following goals:
- Circumvent the authentication or find any way to remotely call the exposed API functionality without having a valid API key
- Identify and exploit any weaknesses in the input validation in order to execute non-white-listed commands
- If the above was possible, demonstrate (by writing a PoC exploit) the attack chain resulting in a reverse shell which connects back to a given IP and Port granting shell access on the target machine
Some rules
- You get full access to the code - read it, debug it, do whatever you want to get the job done
- For the final task (the PoC exploit/demo) no manipulation of the code or any files involved is allowed; your PoC exploit needs to run against an untampered/unmodified version of the API
OK. Let’s get cracking!
First you need the actual code and supporting files to run the SuperAwesomeAPI. Download the static files and run them like follows:
|
|
Once you have the docker container running (thanks webdevops team!) you should be able to browse to http://127.0.0.1/ as well as query the API with curl:
|
|
Have fun hunting, feel free to post your approach / write-up and let me know if you have any questions, feedback or general comments in the respective twitter thread over here:
https://twitter.com/mytty_project/status/1111957534993195008
Verify the files you download with:
md5sum b017c84c521da7c5c6d499a1fc11b8ea cdn/tys/tys_0x02_files.tar.bz2
sha1sum cca966dedde429860c3b43c6cc6bb1ad3a62b975 cdn/tys/tys_0x02_files.tar.bz2
sha256sum 7a32a63b49bdb4596492d44213554a2a08be28389222ef4995c649d2106bb590 cdn/tys/tys_0x02_files.tar.bz2