Many attempts have been made at creating a federated identity system for the web (see OpenID, for example). However, none of them have been successful. Until today. The DomainAuthenticator is based off a novel protocol for establishing identities. To authenticate to a site, you simply provide it username, password, and pingback URL. The site posts your credentials to the pingback URL, which returns either "AUTHENTICATED" or "DENIED". If "AUTHENTICATED", the site considers you signed in as a user for the pingback domain. You can check out the Stripe CTF DomainAuthenticator instance here: https://level05-2.stripe-ctf.com/user-wrkuxcbdzu. We've been using it to distribute the password to access Level 6. If you could only somehow authenticate as a user of a level05 machine... To avoid nefarious exploits, the machine hosting the DomainAuthenticator has very locked down network access. It can only make outbound requests to other stripe-ctf.com servers. Though, you've heard that someone forgot to internally firewall off the high ports from the Level 2 server. Interesting in setting up your own DomainAuthenticator? You can grab the source from git clone https://level05-2.stripe-ctf.com/user-wrkuxcbdzu/level05-code, or by reading on below.
This one seems simple at first. It's just a matter of using a machine on the stripe-ctf.com domain - and we all know from Level 2 that we can upload any file we want, right?
Ahh, but there's a catch - just uploading a file on Level 2 allowed us to authenticate as a Level 2 user, not level 5 like the text above said.
The key here was that the code at line 88-89 pushes back the exact text in the auth request:
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"
Thus, we could in theory point the authentication pingback to the auth script which referenced the Level 2 server like so:
https://level05-2.stripe-ctf.com/user-wrkuxcbdzu/?pingback=https://level02-1.stripe-ctf.com/user-euxiiedciy/ping.php&username=1&password=2
This then would authenticate as a Level 5 user, but using the Text from Level 02.