Tomwhat - Web Easy

Introduction

Tomwhat is an easy web challenge from HeroCTFv7.

The goal of this challenge is to get the flag only displayed on an admin web page.

This is a whitebox challenge, that means that all the source code of this challenge is public, so we can easily understand how it works.

The whole website is made with Apache Tomcat in Java.

DirectoryStructure

Path - TL;DR

  1. Add a session with the username value at darth_sidious.
  2. Go on the admin page.

Enumeration

Flag location

As we can see in the source code, the flag is returned to the administrator on the /dark/admin route.

AdminServlet

If our session username is equals to darth_sidious, we are able to access to the flag.

LightServlet and username set

Here, you can set any username on your session. But if you want to choose darth_sidious, the username is not set.

LightServlet

Default installation page

Default tomcat installation page

The default tomcat installation page is accessible from anyone without any authentication.

Exploitation

Replace our username

Because we have no discrepancies between username conditions check, these conditions can’t be bypassed.

So, we need to go on the default installation page, because we can access some example tools. So let’s go check them:

  • Go to the example page:
    Example

  • Then, choose Servlet example:
    Servlet example

  • Finally, we can check the session servlet source code:
    session servlet

You can see that the code suggest that the servlet takes from the user a name for a session parameter, and a value associated.

  • We can now execute the sessions example:
    session servlet

  • Just need to set username as parameter name, and darth_sidious parameter value:
    Fill informations

  • Verify the data, and go on /dark/admin page:
    Dark sidious Flag

Hero{a2ae73558d29c6d438353e2680a90692}

Remediation

Disable or shutdown access of the default page of tomcat.