🔍

Security Audits and CTF Challenge Insights

Mar 8, 2025

Security Audits on Web Applications

Overview of Blackbox Testing

  • Often conduct security audits without source code access.
  • Blackbox testing can still yield valuable insights:
    • Error messages and stack traces.
    • Unique HTTP headers.
    • API endpoint behavior.
  • Typical issues in programming languages/frameworks to be aware of.

Go Backend Pitfalls

  • Example of Go's GJson library allowing unexpected input (equ sign at the end).
  • Knowledge of backend can optimize testing by targeting common issues.
  • Importance of understanding the backend increases with access to source code.

CTF Challenge Overview

  • Event: Congress CTF organized by Technical University of Munich.
  • Challenge: "fuch" (translated to key-value store).
  • Access to source code via unpacking files:
    • Two Go files: KV.go and front_end.go.
    • Dockerfile for quick local execution.

Challenge Structure

  • Goal: Leak content of flag.txt located in /home/CF.
  • Dockerfile includes code for hardening the challenge environment.
  • Entry point is the front_end binary that runs on local port 8080.

Frontend Behavior

  • Displays message when no valid session cookie is present.
  • Incoming requests handled by HTTP proxy if session exists.
  • Frontend executes KV binary and uses Unix domain sockets to communicate with KV process.

KV Process Behavior

  • Listens on KV socket and has two HTTP handler functions: set and get.
  • Odd design choice raises questions:
    • Possible user separation for CTF.
    • Potential vulnerability in setup or Unix socket.

Vulnerability Discovery

  • Initial confusion regarding session handling and proxy setup.
  • Key discovery: arbitrary file reading via the get function.
  • check_path function restricts paths containing . or flag, preventing direct access to flag.txt.

Exploit Strategy

  • Investigate using the /proc filesystem to access file descriptors of running processes.
  • Idea: If another process has opened flag.txt, it can be accessed via its symlink.
  • Success relied on potentially health checks from the CTF organizers or other processes accessing the flag.

Go Concurrency Issue

  • Actual vulnerability: race condition due to variable shadowing in Go.
    • Colon-equal (:=) declares and assigns a variable; = only assigns.
  • Error variable was accessed in parallel without proper concurrency control, allowing a race condition.
  • Exploit involved spamming requests to read flag.txt during concurrent execution of error checks.

Final Exploit Code

  • Initialize a session ID to set up a personal key-value store.
  • Send multiple requests to both read the flag and manipulate the error variable.
  • Potential success based on timing and networking conditions.

Learning and Resources

  • Importance of understanding Go concurrency and variable scope.
  • Platform Mentioned: hex.io for further learning on hacking and Android application security.
  • Courses developed with industry insights and practical testing applications.

Full transcript