Defence Scenario: Cyber Polygon 2020 Technical Exercise Write-up

Legend

Core Mechanics

Infrastructure and Game Service

Vulnerabilities

Insecure Direct Object References

Command Injection

  1. By sending a request http://example.com/api/disk_stats?flags=>dev/null;cat config/secrets.yml, the attackers obtained the contents of the backend/config/secrets.yml file, which stored the private key for signing JWT tokens.
  2. Having obtained the private key, the Red Team could generate and sign a JWT token valid for any user. Given that the Red Team used the current private key of the service, this token would have been successfully validated and accepted by the application.
  3. By sending a request http://example.com/api/me on behalf of the user for whom the token was generated, the Red Team obtained the user's phone number and checked it for a flag.

Security Misconfiguration

JWT Signature Algorithm Change

  1. By sending a request http://example.com/api/auth/third_party, the attackers received the service public key from the public_key field of the output JSON object.
  2. Having obtained the public key, the Red Team could generate a valid JWT token for any user by sending the HS256 value to the alg JWT field and signing the token, with the service public key line used as a secret for the HMAC algorithm.
  3. By sending a request http://example.com/api/me on behalf of the user for whom the token was generated, the Red Team obtained the user's phone number and checked it for a flag.

YAML Insecure Deserialisation

Conclusion

--

--

--

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Filecoin —one PoREP vulnerability found by Trapdoor Tech

What is Cybersecurity? | PCH Technologies

Hercules and the heart of the matter

Announcing the $DUET IFO on PancakeSwap

Biometric Testing & its Influence on Quality Assurance

6 Types of Online Fraud That Is Taking Place During Coronavirus Pandemic

Attacking unvalidated redirection and Forward

You Need a Cyber Team

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BI.ZONE

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

More from Medium

TryHackMe “Intro to C2” Walk-through By @jself970

TryHackMe : BrainPan 1

https://cdn-images-1.medium.com/max/1000/1*oN8BTUc6qw8DLs6ED84LSw.png

TryHackMe — Jeff

TryHackMe |Year of Rabbit 🐰