Event Changes
We have added a new bug type as requested by members, deserialization and there will be a bounty bonus for the first finder!
We are changing bounty payouts for this event and whilst first finds will be awarded we want to you not feel like you need to rush to report. TAKE YOUR TIME, no need to rush, enjoy the experience! Leave the bounty paying to us! ;-)
After the event ends and all bugs are revealed there will be extra information detailing more about the patch used.
Scope: 'FirstBloodHackers' (version 2.0)
Please note the parts of text below (describing the web app) and information on our web application is satire.
"FirstBlood" is a hospital that understands and care for everyone. Yes, everyone.
The world is a beautiful place, and so are you. Humans are so gifted we possess the ability to spread & share love which as a result makes others' feel good. Isn't that amazing?! We embrace love here at FirstBloodHackers and make sure you are looked after and we'll do our best to hack you back on track! Spread a little love today.
Version 2.0.0 - Issues patched!
From us at the team of FirstBloodHackers, we want to thank you so much for your help on FirstBlood v1.0.0! We believe we've addressed all of the issues and we're keen for you to re-test our website to make sure we've patched issues correctly! We've also released our new vaccine management system which we're eager for you to play with!
Available functionality
NEW FEATURE! Vaccine Upload: Upload proof of your vaccination for us to store in our vaccine management system.
HackerCamps: "Fixing HackerBack".
Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking.
Book and manage your appointment with us safely and securely. Let us know your allergies so we can do our best to look after you. If you are unable to make your appointment then please make sure to cancel your appointment. We don't like it when people appointments and do not let us know.
Credentials available
No credentials are available this time for FirstBlood v2.0.0 as we're still doing some testing on this.
A helping hand (this is not satire!)
This hackevent is all about teaching you to read disclosed reports and testing the patch. Navigating the web app and putting yourself in the other hackers shoes and being where they were. From here you should consider how the issue is fixed and what may of been done incorrectly or forgotten due to an oversight.
This event is also a bit of a "puzzle" and some things may lead onto another. For example if you potentially discovered an SQL injection vulnerability then you should by all means exploit it to maybe go further.
Remember, you are okay to scan for files/directories but just be wary on why you're running them and what you're maybe trying to find. When we say "no automated scanners", we mean not just running a Nessus scan and sitting back.
FirstBlood Bugs
ID | Description | Type | Found By |
---|---|---|---|
18 | The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome. |
Open Redirect |
29 |
19 | The parameter ?ref= on login.php was fixed and instead the use of $_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS. |
Reflective XSS |
12 |
20 | Not working correctly: The endpoint QA.php was fixed to prevent the use of integer values however whilst it does not require any type of authentication to view normally, it is still vulnerable to IDOR as long as the appointmentID is known. We intended to add another feature which would allow users to convert integer > encrypted ID and this was an over sight on our behalf. This bug doesn't count towards unique finds. | Insecure direct object reference |
1 |
21 | Not working correctly: The endpoint MA.php was fixed to prevent the use of integer values however whilst it does not require any type of authentication to view normally, it is still vulnerable to IDOR as long as the appointmentID is known. We intended to add another feature which would allow users to convert integer > encrypted ID and this was an over sight on our behalf. This bug doesn't count towards unique finds. | Insecure direct object reference |
4 |
22 | Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well. | Stored XSS |
47 |
24 | The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working. | Auth issues |
52 |
25 | There is a reflective XSS on manageappointment.php that only works on Internet Explorer via the query string. Simply appending XSS as a parameter will reflect back. Patrice used $_SERVER['QUERY_STRING']; and only tested this against Chrome and Firefox. |
Reflective XSS |
0 |
26 | The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39 ), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten. |
Reflective XSS |
46 |
27 | It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1. | Application/Business Logic |
45 |
28 | The endpoint /drapi/editpassword can actually be accessed unauthenticated. | Auth issues |
20 |
29 | When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS. | Stored XSS |
25 |
30 | There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator. | SQL Injection |
25 |
31 | The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php | Information leak/disclosure |
19 |
32 | The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter. |
Reflective XSS |
48 |
33 | Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work. |
Application/Business Logic |
44 |
34 | This endpoint calls filesize() on the path provided in the 'proof' param with no filtering or sanitisation. By adding the phar:// stream handler to the path, an attacker can force a previously uploaded file to be sent through deserialisation. Coupled with the fact that a gadget-chain vulnerable version of monolog is being used, this allows for RCE. | Deserialization |
31 |
35 | A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges. | RCE |
20 |
36 | It is possible to use the composer.json to aid with another vulnerability and gaining information/knowledge on versions used. | Information leak/disclosure |
28 |
37 | The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php | Information leak/disclosure |
24 |
38 | Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding. | Application/Business Logic |
4 |
39 | Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection. |
Reflective XSS |
26 |
40 | The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not. | Application/Business Logic |
38 |
41 | Not fully working: Whilst it isn't possible to achieve Stored XSS without having access to the database (from SQL or RCE), when an appointment is "missed" with the "state=1", the date of birth is not protected from XSS. We ran out of time to finish building appointment handling so it doesn't count towards unique finds, but this was an intended feature we planned to build so it was interesting to see someone discovered it! | Stored XSS |
1 |
42 | The endpoint /api/checkproof.php can be used to check if an arbitrary file path exists on the server. There is no real impact from this and it's not something we intentionally added as an issue so this won't count towards a unique finding. | Information leak/disclosure |
9 |
43 | The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set. | Application/Business Logic |
9 |
44 | Whilst there's no security impact, it is possible to manage a cancelled appointment from visiting manageappointment.php with a valid appointmentID. When attempting to view a cancelled appointment view qa.php it will not respond, but manageappointment.php fails to do the checks. | Application/Business Logic |
5 |
Researcher | 'FirstBlood' Bugs | Respect | Hacking Time |
---|---|---|---|
iamvictorteh Level 6 | 19 — 0 disclosed | 0 | 2 days, 23 hours, 43 minutes and 14 seconds |
holybugx Level 5 | 19 — 14 disclosed | 350 | 2 days, 23 hours, 42 minutes and 39 seconds |
panya Level 7 | 19 — 20 disclosed | 160 | 1 days, 7 hours, 31 minutes and 52 seconds |
mrrootsec Level 2 | 18 — 17 disclosed | 200 | 3 days, 15 hours, 4 minutes and 24 seconds |
xnl-h4ck3r Level 4 | 18 — 16 disclosed | 30 | 2 days, 3 hours, 47 minutes and 30 seconds |
eliee Level 7 | 17 — 4 disclosed | 100 | 1 days, 11 hours, 56 minutes and 21 seconds |
newrouge Level 3 | 17 — 20 disclosed | 40 | 2 days, 17 hours, 36 minutes and 7 seconds |
kinako Level 5 | 17 — 10 disclosed | 80 | 1 days, 21 hours, 0 minutes and 10 seconds |
0x1452 Level 3 | 17 — 15 disclosed | 30 | 1 days, 1 hours, 55 minutes and 38 seconds |
shreky Level 4 | 17 — 16 disclosed | 280 | 2 days, 13 hours, 6 minutes and 54 seconds |
isitbug Level 3 | 17 — 0 disclosed | 0 | 1 days, 12 hours, 14 minutes and 54 seconds |
buraaq Level 2 | 17 — 6 disclosed | 40 | 2 days, 3 hours, 46 minutes and 12 seconds |
0xconft Level 5 | 16 — 5 disclosed | 0 | 1 days, 12 hours, 7 minutes and 48 seconds |
shivam18u Level 3 | 15 — 12 disclosed | 10 | 1 days, 0 hours, 15 minutes and 25 seconds |
vermsec Level 4 | 15 — 0 disclosed | 0 | 0 days, 6 hours, 14 minutes and 3 seconds |
netmous3 Level 4 | 15 — 1 disclosed | 20 | 3 days, 22 hours, 19 minutes and 11 seconds |
vigilante Level 4 | 15 — 13 disclosed | 0 | 3 days, 8 hours, 26 minutes and 13 seconds |
vishal Level 2 | 14 — 18 disclosed | 50 | 2 days, 7 hours, 54 minutes and 44 seconds |
0xblackbird Level 5 | 14 — 13 disclosed | 110 | 1 days, 12 hours, 50 minutes and 36 seconds |
gh0st10 Level 6 | 12 — 0 disclosed | 0 | 1 days, 8 hours, 46 minutes and 54 seconds |
thebinarybot Level 2 | 12 — 0 disclosed | 0 | 0 days, 15 hours, 37 minutes and 0 seconds |
amec0e Level 3 | 12 — 10 disclosed | 10 | 2 days, 16 hours, 48 minutes and 26 seconds |
twsec Level 2 | 12 — 15 disclosed | 0 | 4 days, 3 hours, 23 minutes and 30 seconds |
r0x61tremy Level 3 | 11 — 2 disclosed | 50 | 0 days, 15 hours, 25 minutes and 34 seconds |
sumyth Level 2 | 11 — 10 disclosed | 10 | 0 days, 23 hours, 43 minutes and 34 seconds |
serizao Level 2 | 10 — 0 disclosed | 0 | 0 days, 8 hours, 45 minutes and 58 seconds |
jomar Level 4 | 10 — 0 disclosed | 0 | 0 days, 8 hours, 20 minutes and 51 seconds |
stfn Level 3 | 9 — 0 disclosed | 0 | 1 days, 10 hours, 10 minutes and 40 seconds |
yashamin Level 2 | 9 — 1 disclosed | 60 | 0 days, 17 hours, 7 minutes and 58 seconds |
ibruteforce Level 4 | 9 — 0 disclosed | 0 | 0 days, 9 hours, 10 minutes and 30 seconds |
c3phas Level 4 | 9 — 3 disclosed | 50 | 2 days, 3 hours, 49 minutes and 16 seconds |
neolex Level 2 | 9 — 10 disclosed | 0 | 0 days, 8 hours, 52 minutes and 38 seconds |
th4nu0x0 Level 2 | 9 — 7 disclosed | 0 | 1 days, 1 hours, 49 minutes and 0 seconds |
natsu19 Level 3 | 8 — 0 disclosed | 0 | 0 days, 9 hours, 46 minutes and 26 seconds |
axe Level 4 | 8 — 10 disclosed | 0 | 3 days, 12 hours, 52 minutes and 12 seconds |
luisk2 Level 3 | 8 — 0 disclosed | 0 | 1 days, 3 hours, 56 minutes and 4 seconds |
sehno Level 3 | 7 — 0 disclosed | 0 | 0 days, 17 hours, 43 minutes and 5 seconds |
d20s84 Level 3 | 7 — 7 disclosed | 10 | 1 days, 5 hours, 35 minutes and 15 seconds |
n1ghtmar3 Level 2 | 7 — 0 disclosed | 0 | 1 days, 13 hours, 57 minutes and 21 seconds |
dravee Level 4 | 7 — 0 disclosed | 0 | 0 days, 22 hours, 23 minutes and 37 seconds |
yougina Level 3 | 7 — 0 disclosed | 0 | 1 days, 14 hours, 6 minutes and 48 seconds |
sumzer0 Level 2 | 7 — 1 disclosed | 10 | 1 days, 15 hours, 8 minutes and 23 seconds |
bobbylin Level 4 | 7 — 0 disclosed | 0 | 0 days, 0 hours, 0 minutes and 0 seconds |
zeeshan1337 Level 2 | 7 — 0 disclosed | 0 | 1 days, 3 hours, 57 minutes and 16 seconds |
rephlexsion Level 3 | 7 — 0 disclosed | 0 | 2 days, 4 hours, 26 minutes and 7 seconds |
0xirfan Level 5 | 6 — 4 disclosed | 0 | 0 days, 19 hours, 13 minutes and 24 seconds |
thecast Level 3 | 6 — 1 disclosed | 20 | 1 days, 2 hours, 17 minutes and 28 seconds |
gratitude Level 3 | 5 — 0 disclosed | 0 | 0 days, 6 hours, 32 minutes and 50 seconds |
mava Level 2 | 4 — 0 disclosed | 0 | 0 days, 0 hours, 16 minutes and 56 seconds |
pichik Level 4 | 3 — 0 disclosed | 0 | 0 days, 15 hours, 21 minutes and 42 seconds |
johandu97 Level 4 | 3 — 3 disclosed | 0 | 1 days, 11 hours, 10 minutes and 26 seconds |
predator97x Level 2 | 3 — 0 disclosed | 0 | 0 days, 1 hours, 24 minutes and 30 seconds |
0xsaltyhash Level 3 | 3 — 3 disclosed | 0 | 0 days, 12 hours, 0 minutes and 57 seconds |
th33phoenix Level 4 | 2 — 2 disclosed | 0 | 0 days, 19 hours, 5 minutes and 48 seconds |
jonlaing Level 2 | 2 — 0 disclosed | 0 | 0 days, 9 hours, 9 minutes and 25 seconds |
captboykin Level 2 | 2 — 0 disclosed | 0 | 0 days, 17 hours, 40 minutes and 46 seconds |
tmaxxer Level 2 | 2 — 0 disclosed | 0 | 0 days, 0 hours, 6 minutes and 8 seconds |
agentmellow Level 3 | 2 — 0 disclosed | 0 | 1 days, 6 hours, 21 minutes and 10 seconds |
rahat Level 2 | 1 — 0 disclosed | 0 | 0 days, 4 hours, 19 minutes and 37 seconds |
bowen229 Level 2 | 1 — 0 disclosed | 0 | 0 days, 5 hours, 9 minutes and 39 seconds |
iffu Level 5 | 1 — 0 disclosed | 0 | 0 days, 2 hours, 0 minutes and 29 seconds |
iambilaal Level 3 | 1 — 0 disclosed | 0 | 0 days, 0 hours, 28 minutes and 27 seconds |
liammcknight Level 2 | 1 — 0 disclosed | 0 | 0 days, 6 hours, 30 minutes and 0 seconds |
asdcxsd Level 2 | 1 — 0 disclosed | 0 | 0 days, 1 hours, 31 minutes and 55 seconds |