Hacking The Davinci Code: WebDAV Cybersecurity

Key Takeaways

this captur the flag challenge is called The Da Vinci Code it's a medium challenge in the web category that I made I created this for the ncon capture the flag competition and the description is uh someone made a da Vinci Code fan page but they spelled it wrong and it looks like the website seems broken this is a Deployable per instance hey you can go ahead and spin up the task we'll click the start button here to make that available for us but I will be running this locally and I'll walk you through it and I'll tell you what this challenge is and how we put it together so I am running this challenge locally I've just spun up the docker container on Local Host Port 5000 but we're presented with this website for The Da Vinci Code uncover and unravel the secrets hidden in the works of Da Vinci join us as we delve deeper in the Mysteries blah blah blah not much here there is a simple button to learn about the code and clicking this brings us to a template not found error with Ginger 2 so we can presume this is a flask application in fact if you want to go take a look at the headers I'll open F12 on my keyboard simple Network tab hey if I actually take a look at any of these I think even just the logo.png yeah anything that comes from the server you can see the server response header is Works python 3.9 so this is a python flask server seeing that error message Clues me in that we're likely in developer mode so I could probably just go to/ console but that will require a pin or some active number the key to be able to actually enter and execute python code so that's not super duper helpful for US unless we can figure out some other vulnerability like local file inclusion or some other gimmick to actually beat this thing up but we could actually take another look at the error message that we had because look this is going to give us a traceback and that might actually clue Us in on some parts and pieces of the code scrolling down you can see the line that's highlighted on slapp app.py so that gives us at least the name of the source code in the file that's ran in the python script and we can see okay there's the app . route for code we would render the template for that HTML file but it's not found so that presumably doesn't exist now it's funny I got a lot of players saying oh no the challenge is broken uh but again the challenge description was to intentionally say yes the website is broken this is because I left behind this breadcrumb for you this little Easter egg where the other route just simply the index page the forward slash includes another method it's not just simply a get method you could do with http but there's also a prop find method available to you now if you were to Google this prop find HTTP method you'll see that hey it is a webdav method in fact that's kind of the whole gimmick here that's meant to be returned with web distributed authorizing and versioning authoring and versioning whatever it's webdav that's the whole joke for The Da Vinci Code DAV over and over again is that this is a webdav request now here's a gimmick because you're working with a python flask server that also seemingly supports some webdav stuff anyway we could just go figure it out we could try to run any of these headers or even just see okay what's the server going to do you could take a look at hack tricks you could look at other resources or you might just be able to run DAV test that is literally a webdav testing utility that you'd Supply pass in hey whatever URL that you're working with and let's see what it will tell us so DAV test Tac URL HTTP and I'm on Local Host 5000 for this little showcase but okay it seems to connect it does tell me open but it also says fail operation fail you can only open a collection or a directory uh do I use a forward slash there no that doesn't seem to work what if we had like anything that obviously does not exist that will should error yeah Okay cool so different error that'll say look that's not DAV enabled or accessible so presumably we're at the right thing but we're not going to get a whole lot of info out from this tool is that the same error message even for something that like clearly doesn't have webdav okay no no no that'll say it specifically so the page seemingly does have webdb functions accessible obviously we saw the method in the source code so let's try to use a different command or another tool and utility like curl because that will allow us to specify the method that we want to use with that Tac capital x argument so rather than get or post in this case for other HTTP methods we're going to use that webdav one prop find on that address Local Host Port 5000 so this o returns a heck of a lot more interesting stuff here I can copy and paste all this because this is meant to be XML output right let me just bring that into a text editor with that I can uh Hey indent XML here yeah and we'll set the syntax highlighting in Sublime Tex thank you so much now this is interesting because it presumably is returning like the files in the current directory like you can see pie cach is included you can see static that's normally where we're hosting static files right like the logo.png image that we saw templates okay where we would have seen code. HTML and app.py oh okay so even the source code for the application itself question is could we pull that down we can try it let me use Curl propfind slapp dopy uh no doesn't really tell us anything other than that it is a file okay so that's not super duper helpful but what about the templates right did that have code. HTML in there we could run that on SLT templates presumably okay that returns stuff that gives us a directory listing right let me run index IND HTML yeah okay so it does not have code. HTML literally that's interesting though because we've now learned two things for one thing we have directory listing we could see the files present on the file system uh and it is still a python flask server though so it has to have specific routes set up even for an index.html or a code. HTML but so far we haven't really seen any other vulnerabilities other than it just having oh the capability to do this webdav prop find method so we could explore that a little bit further but at least on the topic of vulnerabilities if I may I would love to say look the only reason that I can get out videos education cyber security stuff material training Capture the Flag competitions just like this especially with I'm working with a team of folks that are developing challenges I got to make sure they get paid I would love to include some sponsorship for this video I'm so so thankful for all their support and with that please take it away Prelude security imagine if you could automate turning current threat intelligence into active High Fidelity detection rules what if you could safely test your security posture against the latest threats that are out there that is what Prelude security allows you to do with their latest Innovation they automatically consume thread Intel reports extract the relevant technical details and transform them into detections that can be directly pushed to your EDR or xdr solution and verified security tests to validate your new detections and it's all done in just a few minutes honestly it is super cool to see it in action and with Prelude you can ensure your defenses are continuously up to date and protected against today's threats get started with Prelude security with my link below in the video description jh. life/ Prelude huge thanks to Prelude security for sponsoring this video all right so back on the keyboard well let's review as to where we were we did have some prop find capability and when we were looking at the root of the file system we saw a lot of interesting stuff at the very least oh the root structure directory listing things presented here for the application but there was one that I didn't get a chance to drill down into yet we saw Static we saw templates we saw our app.py but we also have at the very bottom the secret DAV inii code so I'm presuming that okay maybe there are some Secrets or some juicy info hidden there we can get back to our command line try and run the exact same thing but include that location for the secret Da Vinci Code if I scroll that down ooh you can see uh I might need to make this pretty but you can actually probably see in just that output itself when we do directory listing on the secret Da Vinci Code we have flag. text included within that directory so we're thinking oh okay we could just go navigate to that with our web browser right let me go back to the page here we want to go to pasting in my address bar the secret Da Vinci Code and then flag. text T but that gives a 404 that is not returned it's not there at all even uh Network tab running obviously oh I had the filter on no that's a 404 so what about the secret DaVinci Code on its own still a 404 what is going on it looked like we saw that considering the webdav prop find request well don't forget this is a flask application and it will only have routes for things that it has specifically stated to be a route like index.html or code. HTML that we didn't actually have so it must not have a Handler to actually bring you to the secret Da Vinci Code folder and the flag inside of it um that's odd though what else could we explore I mean there wasn't really a whole lot else in the command line here when we were looking at the directory listing of the app application here we had okay templates app.py that secret Da Vinci Code but there really wasn't anything else we dug into other than static static is where it should have just those logos and images and like JavaScript CSS libraries right is there even anything worthwhile in static o there might be let's pull that down clean this up just a little bit but yeah there is the logo.png and oh they must have been hiding something else here in fact in fact I was I'm I I don't know why I'm being koi I know I wrote this challenge uh app.py dob backup is accessible and it's in a static directory which means it'll just serve and give out all the files in that location that's how python flask apps typically work right because JavaScript CSS that stuff just needs to be statically served and not have a given route or handle to them so we could at that point just try to use that app.py dob backup that we know was in the static directory right we don't need to use the prop find here because that is really again webdav asking for the things but we could just use a regular get request right maybe change that method there or just use default curl or navigate to this in our web browser it's just going to get served to us so I'll render this and now we have presumably source code to the application I'm just going to slap this into Sublime Text so I can get some syntax highlighting for us and it is all in python right just as expected flask application everything that we understood static directory put to life okay there's our static path gen genuinely just sending from that location and we have a function to handle a webdav response that seemingly is again just kind of building that directory listing or directory indexing functionality and that's actually staged and set up as a Handler so that webdav capability is accessible for just about every specific endpoint location and Route here that's interesting because that's where we get confused between what is a webdav functionality and what's just regular flask in the python web server interesting though because this has other methods configured we have get as we've seen prop find as we've seen But even move and that's new and might give us some cool clever capability here because we saw that our code endpoint would break to begin with index gave us prop find but now we've unlocked something new because we've been able to essentially oh track down the backup source code here silly I know whatever unrealistic premise I don't care it's a capture the flag challenge but look we can move and the logic for that is defined here if the request method is to move then we'll get a destination coming from the headers provided that should be destination right if we have that then we'll join together the path from our current directory and puts inside of the directory here the file that we're specifying so we genuinely legitimately have move capability and we know where on the file system there is a flag thanks to prop find and we know that static directory static locations will just send any file so let's put those puzzle pieces together and we could just move the flag into the static directory so we can read it that sounds like a f plan and path of attack so what we need to do is use a regular curl command except we're now going to be using Tac x with the header to move now if we look back at the syntax I'll get back to that URL the source code here tells us that the full path what we actually request from the web location is we're we're moving its two given the destination so our destination should be the static location and our full path that we're actually requesting with curl should be the webdb secret D Vinci Code flag. text right let's try and build that out we know that we'll go to secret what is it the let's move from that location given the flag. text there we do need to supply a header so let me move to the very front of the command I'll use Tac Capital H to supply a header and we'll say the destination should be relative from the apps location right because it you saw the os. getet CWD the current working directory so static should be just from the directory listing that we saw flag. text present there we're just moving the secret D Vinci codes file into static now I can't view that right now obviously if I were to go to slatic flag. text that doesn't exist until we get do the secret sauce and fingers crossed I'll move that to the side bring open our flag. text here now that should be there it is that's pretty cool I I know I I'm talking as an actor I I did make this challenge but I thought that was a little bit neat I thought that was a cutesy gimmick I thought that was worth some creative uh critical thinking to see what you all could do here what would prop find tell us now obviously that should be where it should be prop find now to static uh yeah that'll just literally list out flag. text because we were able to move it over there now that is included and of course that is how we get the flag and could submit that and solve that Medium web challenge The Da Vinci Code with some webdav tricks hey thank you so much for watching I hope you enjoyed this video hope you enjoyed that little trick hey some clever things we can do and sort of unlocking and finding new puzzle pieces and breadcrumbs for the capture the flag challenge I hope you really enjoyed the ncon at CTF if you did get a chance to play if not we'll have the challenges up and available on like nypt name your price training or something uh in the future but hey thanks so much for watching please do all those YouTube algorithm things please give our sponsors some love Link in the video description and with that I'll see you in the next video