This year marked our second year we participated in Cyber Security Challenge Belgium. Last year, my team got through qualifiers and were invited to Brussels for the semi-finals, where we ended a couple points short from entering the final. This year, we wanted to do better.
During this year’s qualifiers, I was in Prague for an internship and thus couldn’t physically meet with the rest of my team. Luckily for us, these qualifiers are online. In the qualifiers we’ve reached 29th place. This is not remotely close to as high as we’d hoped to be, however it allows us to be invited to the semi-finals in Brussels again. Sadly, because of COVID19 the semi-final and final is postponed to Q4 2020. This write-up is about a web challenge from the qualifiers.
In this challenge, we’ve received a website that hosted a database of different plants. The goal was simple: get access to the database. After a quick inspection of the website, I noticed that the database was hosted in Firebase. Since I have some experience with Firebase and Google API’s myself, I know where to look. On the website, there was a file called server.js. This file contained a reference to the admin/API credentials file as well as the URL of the database.
At this point, you have two options:
- Try to access the credentials file
- Look for Firebase missconfiguration
The credentials file itself was not accessible from the website. Firebase missconfiguration can be checked by appending “/.json” at the end of a Firebase database URL. If there are no security rules in place, this will dump the entire database. Sadly, it looked like security rules are correctly set:
Looking back at the server.js file, there is still one important line that I overlooked at first: app.use(express.static('.',{dotfiles:'allow'}));
Dotfiles are usually used for hidden content, so for this challenge I decided to run dirbuster on the website to look for hidden files/folders. I quickly noticed that there is a .git directory exposed. Next, I used a tool called git-dumper to extract a complete git repository from the website.
At this point I decided to upload the git repository to my private git server, to make it easier to search through older commits. Searching through the available commits, I noticed one called Security Fixes. This one deleted the credentials file. Git allows me to retrieve the credentials which made me access the database to find the flag to the challenge.
This was a fun challenge and made me learn about a new tool called git-dumper 🙂