Saturday, 19 July 2014

Volga CTF quals 2014

Team r00t managed only 700 points and secured 80th position

This was 1 really son of a difficult CTF

Web100-

If login successful, You will be given a particular phpsession.
Login was easy. you enter random name and it will get registered and access will be given.

Task was Session fixation.

After login in. In source we can see help.php


In link place give your link to the page where the session id is assigned.

and refresh the loged in page.

flag: Easy_task_on_Session_Fixation

Comments are welcomed...
Question solving skill: x7r0n

Web200-

Guess they where using strcmp function to password.
Change password to array elements.


response for the above request [image]

I don't know whether this is how challenge was made to be solved. But this shit worked :D

Comments are welcomed :)

Monday, 30 September 2013

Facebook CTF - ACCESS LEVEL 1 WriteUP

Facebook CTF 2013 - NcN 2013

There where only 3 access levels - web, android apk, and Linux executable. All where reverse engineering only.

Access Level - 1


Whatever input 'key' is given you get a alert saying 'Invalid password!'.

Tools -> browser with JavaScript console. I used Google Chrome :p

Analysing the source code we get -
<form action="login.php" method="POST" onsubmit="return encrypt(this);">

So onsubmit a "encrypt" function is called. So using the browser JavaScript console lets take a look at the script running behind.

 function encrypt(form)
 {
var res;
res=numerical_value(form.password.value);
res=res*(3+1+3+3+7);
res=res>>>6;
res=res/4;
res=res^4153;
if(res!=0)
{
alert('Invalid password!');
}
else
{
alert('Correct password :)');
}
form.key.value=numerical_value(form.password.value);
form.verification.value="yes"+simpleHash(form.password.value);
 return true;
 }

That's it. our work is simple - just to make the condition inside IF as FALSE. That can be achieved by making the var res = 0. So the reverse engineering work starts NOW.

Time to analyse the code and start reversing it.
- Before if we have XOR. so res should be equal to 4153 to make res=0
- res * 4 [ 4153*4 = 16612]
- >>> right shift so we have 16612 = X>>>6.
  16612 - 100000011100100
  we have no idea about the lost rightmost 6 bits. Taking it to 0's lets proceed.
  100000011100100+000000 -  1063168 But it can vary with +0 to +63.
- 1063168/(3+1+3+3+7) = 62539.2941176 ~ 62540.
-  now a weird function numerical_value

 function numerical_value(str)
 {
var i,a=0,b;
for(i=0;i<str.length;++i)
{
b=ascii_one(str.charAt(i));
a+=b*(i+1);
}
 return a;
 }

observe one more function ascii_one

function ascii_one(foo)
{
foo=foo.charAt(0);
var i;
for(i=0;i<256;++i)
{
var hex_i=i.toString(16);
if(hex_i.length==1)
hex_i="0"+hex_i;
hex_i="%"+hex_i;
hex_i=unescape(hex_i);
if(hex_i==foo)
break
}

But here no need to analyse. Just manual brute force of the var str; to get a appx value of 62540. I got 62545.
var str="zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea";

start with random number of a's then modify here and there with the logic of starting strings have less weight-age and ending char's have the most!

so for me this is the key - "zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea". It will vary from person to person.

After submiting the key -

Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8

*** Note this was easy because without knowing much of JavaScript i could solve it.
-> And a rough screenshot of manual brute force. So you can get a rough idea -
Please download OR open the image for clear view :D :D

-> Any one solved it in a much simpler way please comment your way for solving problem.
-> Suggestions/Comments are most welcomed !!! :)


Thanks for reading through

Happy hacking! Happy coding!!

Monday, 17 June 2013

Defcon 2013 3dub - 1, 2 and 4. Web WriteUp

DefCon 2013 3dub - Web based challenges.

This is the first time 'm writing Wiriteup for any ctf [practice].  So please bare with it :D

3dub - 1

What ever name to enter in the username field will be accepted and you be logged in with that name.
After logging in you will get a message that LOGIN as admin.

but if give "admin" in the username field , You will get a message saying admin login disabled.

But for every login with different usernames the cookies where changing.

Observation -->
username  cookie 

a - 09
b - 0a
ab - 09ce
ba - 0acd
abc - 09cd29
aaaaaa - 09cd2994af
its just a hex based addition with the base "aaaaa". But no need to do the hex addition also.
get cookie for 
admi - 09c8259c
aaaan- 09cd2994a0

=> admin - 09c8259ca0

save cookie and refresh, you get the key.
the key is The key is: who wants oatmeal raisin anyways twumpAdby

Easiest challenge in DefCon 2013.

3dub - 2

Login page.

Obviously tried SQL injection first. WORKED!
but i could login as root but no use because no key.

Tried analysis the GET and POST requests in ZAP.
X-SQL : SELECT name FROM users WHERE name ='   ' and pasword='   ' limit 1;

waste time crafting requests wrt to MySQL.
I could login as root and anynumber from 0 yo +Inf :D

Afterwards i found it was SQLite. The done -

  • asd'OR'1'='1' UNION SELECT name FROM sqlite_master WHERE type = "table"--I logged in as keys.
  • asd'OR'1'='1' UNION SELECT name FROM keys --
got the key-
logged in as The key is: literally online lolling on line WucGesJi

3dub - 4

Was a easy one but wasted more than 6 hours in this still managed NOT to get the key. Like a BOSS XD

File name and the access code..
it opened for usernmaes.txt with accesscode - 60635c6862d44e8ac17dc5e144c66539.
But no access fro passwords.txt with the same accesscode.

Found that accesscode=md5(filename)

Opened the passwords.txt i was shocked to see everything was SHA-512/SALT hashing.
Thought i would move on to next one than decrypting these passwords.
But that would be lame to hash to that extent. That was a distraction. :p

Time to brute force the filename. Found
key.txt with accesscode - 65c2a527098e1f7747eec58e1925b453

Content of key.txt-
2GXuC0wS4O1MI8OpuoV1NkjsMM6zkzLpcQfOpMKniiogUoCS3yhTyZbm8a9BCEgHdl19bWEMziZiZDbLI+V2dQ==
By looking at the content of key.txt it was base64. Decoded with online base64 deocder. Got invalid ascii code not the key!

content of key.txt was changing with time. Suspected functions - time() and rand().
Major time waste here.

Afterwards i gave the getfile.php which was helping us to opne the file.
getfile.php with accesscode- 0701593e23e676eaba834916a6ac7272.

Contents of getfile.php-

Acces granted to getfile.php!


$value = time();
$filename = $_GET["filename"];
$accesscode = $_GET["accesscode"];
if (md5($filename) == $accesscode){
echo "Acces granted to $filename!

";
srand($value);
if (in_array($filename, array('getfile.php', 'index.html', 'key.txt', 'login.php', 'passwords.txt', 'usernames.txt'))==TRUE){
$data = file_get_contents($filename);
if ($data !== FALSE) {
if ($filename == "key.txt") {
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
echo base64_encode($cyphertext);
}
else{
echo nl2br($data);
}

}
else{
echo "File does not exist";
}
}
else{
echo "File does not exist";
}

}
else{
echo "Invalid access code";
}
?>

```````````````````````````````````````````````````
***k it! 'm going to sleep. But i dint. Because I have wasted a lot of time on this..
This needed a Brute force. No way for manually doing that.

Brute force script in PHP -
<?php
error_reporting(0); 
for ($key = 0; $key <= getrandmax(); $key++) 
{

$text="5HHOwWMXYH5UxvzIzxqMY3vuwyCJ5BVdzwm5puqduZrsPTxfsFNKXXMlwhZj5W/1o  Sv3ENrCpbIMF9cJQ5Gndg==";

$data=mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($text),           MCRYPT_MODE_CBC);

echo $data;
echo "<br>";
}
?>

Dump of brute force.

Search for the string with starting "the key is".
No match found. No idea WHY?

Waiting for other Writeups from pros to find my mistake.

Any suggestions, please comment.

Update on 18-06-2013-->

With the help of the comment by CĂ©lestin Perdu got to know where i had missed the point.

You can use ZAP or Burp Suite anything. Get the date and time of the response, convert it to linux timestamp.

$ date -d "which you got from the tool" +% s

Use this value as key. And you should get the flag.

Thanks for reading. Suggestion and comments welcomed!