Queen of Hearts: Metasploit 2020 December CTF
This weekend I partook in the Metasploit 2020 December CTF. I captured three flags (8 of Hearts, Queen of Hearts, Red Joker) and this blog post will detail how I solved for the Queen of Hearts.
At http://$target:9010/ was a file available for download, QoH_Client.jar. When downloaded and run, it describes its usage:
At http://$target:9010/ was a file available for download, QoH_Client.jar. When downloaded and run, it describes its usage:
Re-executing with the target host and port 9008, I was presented with a user interactive text program. We see that there are files available for download, and that authentication is required:
I tried several passwords, but all of them failed to authenticate me. But since I have access to the client code, perhaps I can modify it to grant myself permissions. I extracted the Jar file and used CFR to decompile the class files and get Java source code:
Reading the source code, the AuthState object gets set following the authentication call to the server. But AuthState has a method called setLoggedInStatus; with a single line added to the source code I set LoggedIn status to 'true' after the authentication call, whether it succeeded or not.
With that change made, I recompiled the Class.java file and created a new Jar file containing my changed code.
And with that change made, I ran the program, "failed" an authentication attempt but was able to download the flag file due to my modifications:
and done!
For coverage of a number of other tests from this CTF, see this blog post by Team Captain Steve Walker.
I tried several passwords, but all of them failed to authenticate me. But since I have access to the client code, perhaps I can modify it to grant myself permissions. I extracted the Jar file and used CFR to decompile the class files and get Java source code:
Reading the source code, the AuthState object gets set following the authentication call to the server. But AuthState has a method called setLoggedInStatus; with a single line added to the source code I set LoggedIn status to 'true' after the authentication call, whether it succeeded or not.
With that change made, I recompiled the Class.java file and created a new Jar file containing my changed code.
And with that change made, I ran the program, "failed" an authentication attempt but was able to download the flag file due to my modifications:
and done!
For coverage of a number of other tests from this CTF, see this blog post by Team Captain Steve Walker.
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded