The challenge wasn't that hard infact just open up OllyDBG and you would immediatly see that this is a binary compiled with perl2exe technology. Basically it convert perl code into executable, so we can easly come back to original code by using this python script: http://pastebin.com/LiiMuN0K
Now just give the challenge's executable as argument and take the flag in comment on _main.pl file.
In this challenge we faced up a login form that we bypass in order to get the flag. It use a NoSQL database so no SQL injection this time. If we try to login we get always the same message that inform us the user doesn't exists. But if we input a username with spaces in it an error is provided:
BSD licensed, advanced key-value store returned an error: -ERR wrong number of arguments for 'get' command
What this mean? Googling the error we discovered the query we submit is processed by Redis (http://redis.io/). With Redis for submit more than a query you havte to use the CRLF chars. W tryed this: http://188.8.131.52:5000/?action=login&username=asd%0d%0ainfo&password=asd
and a message popped out saying the SHA-1 of the database don't match the SHA-1 of the password we supplied. So now we know that the script match the output of the query with our password hashed with SHA-1. Now a problem: how do we return a custom SHA-1 hash? The function SCRIPT LOAD help us. Infact the ECHO, PUBLISH, etc where denied so we cannot use them. As the documentation said SCRIPT LOAD return the SHA-1 of the code it loads, so just put a LUA code like this: 'print (11)' in username field with SCRIPT LOAD and in password field put the code so 'print (11)'. Final query is:
http://184.108.40.206:5000/?action=login&username=j%0d%0a%0d%0a script load print(11)&password=print(11)
P.S: since the output didn't showed up submitting a second query we must to submit a 3rd one.
This task was really easy, 100 points gifted I would say. Basically it was a pcap file where inside there are multiple request from HTTP to SSH and DNS requests. Filtering all HTTP requests a file "rootkit.zip" file showed up. We tryed to extract it but a password was required. So analyzing further the requests applying a filter like : "ip.addr eq 10.142.0.1 and ip.addr eq 10.142.0.3) and (udp.port eq 31337 and udp.port eq 4242" one interesting stream came up:
If you look after the "6unzip" string it follow a word: "a" , then in the line after another one "l" and so on. Late you'll find out that is the password to extract the zip. The password is "alongpassword1234" just open the archive with this to cat the flag.