Monday, 30 September 2013

Facebook CTF - ACCESS LEVEL 1 WriteUP

Facebook CTF 2013 - NcN 2013

There where only 3 access levels - web, android apk, and Linux executable. All where reverse engineering only.

Access Level - 1


Whatever input 'key' is given you get a alert saying 'Invalid password!'.

Tools -> browser with JavaScript console. I used Google Chrome :p

Analysing the source code we get -
<form action="login.php" method="POST" onsubmit="return encrypt(this);">

So onsubmit a "encrypt" function is called. So using the browser JavaScript console lets take a look at the script running behind.

 function encrypt(form)
 {
var res;
res=numerical_value(form.password.value);
res=res*(3+1+3+3+7);
res=res>>>6;
res=res/4;
res=res^4153;
if(res!=0)
{
alert('Invalid password!');
}
else
{
alert('Correct password :)');
}
form.key.value=numerical_value(form.password.value);
form.verification.value="yes"+simpleHash(form.password.value);
 return true;
 }

That's it. our work is simple - just to make the condition inside IF as FALSE. That can be achieved by making the var res = 0. So the reverse engineering work starts NOW.

Time to analyse the code and start reversing it.
- Before if we have XOR. so res should be equal to 4153 to make res=0
- res * 4 [ 4153*4 = 16612]
- >>> right shift so we have 16612 = X>>>6.
  16612 - 100000011100100
  we have no idea about the lost rightmost 6 bits. Taking it to 0's lets proceed.
  100000011100100+000000 -  1063168 But it can vary with +0 to +63.
- 1063168/(3+1+3+3+7) = 62539.2941176 ~ 62540.
-  now a weird function numerical_value

 function numerical_value(str)
 {
var i,a=0,b;
for(i=0;i<str.length;++i)
{
b=ascii_one(str.charAt(i));
a+=b*(i+1);
}
 return a;
 }

observe one more function ascii_one

function ascii_one(foo)
{
foo=foo.charAt(0);
var i;
for(i=0;i<256;++i)
{
var hex_i=i.toString(16);
if(hex_i.length==1)
hex_i="0"+hex_i;
hex_i="%"+hex_i;
hex_i=unescape(hex_i);
if(hex_i==foo)
break
}

But here no need to analyse. Just manual brute force of the var str; to get a appx value of 62540. I got 62545.
var str="zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea";

start with random number of a's then modify here and there with the logic of starting strings have less weight-age and ending char's have the most!

so for me this is the key - "zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea". It will vary from person to person.

After submiting the key -

Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8

*** Note this was easy because without knowing much of JavaScript i could solve it.
-> And a rough screenshot of manual brute force. So you can get a rough idea -
Please download OR open the image for clear view :D :D

-> Any one solved it in a much simpler way please comment your way for solving problem.
-> Suggestions/Comments are most welcomed !!! :)


Thanks for reading through

Happy hacking! Happy coding!!

Monday, 17 June 2013

Defcon 2013 3dub - 1, 2 and 4. Web WriteUp

DefCon 2013 3dub - Web based challenges.

This is the first time 'm writing Wiriteup for any ctf [practice].  So please bare with it :D

3dub - 1

What ever name to enter in the username field will be accepted and you be logged in with that name.
After logging in you will get a message that LOGIN as admin.

but if give "admin" in the username field , You will get a message saying admin login disabled.

But for every login with different usernames the cookies where changing.

Observation -->
username  cookie 

a - 09
b - 0a
ab - 09ce
ba - 0acd
abc - 09cd29
aaaaaa - 09cd2994af
its just a hex based addition with the base "aaaaa". But no need to do the hex addition also.
get cookie for 
admi - 09c8259c
aaaan- 09cd2994a0

=> admin - 09c8259ca0

save cookie and refresh, you get the key.
the key is The key is: who wants oatmeal raisin anyways twumpAdby

Easiest challenge in DefCon 2013.

3dub - 2

Login page.

Obviously tried SQL injection first. WORKED!
but i could login as root but no use because no key.

Tried analysis the GET and POST requests in ZAP.
X-SQL : SELECT name FROM users WHERE name ='   ' and pasword='   ' limit 1;

waste time crafting requests wrt to MySQL.
I could login as root and anynumber from 0 yo +Inf :D

Afterwards i found it was SQLite. The done -

  • asd'OR'1'='1' UNION SELECT name FROM sqlite_master WHERE type = "table"--I logged in as keys.
  • asd'OR'1'='1' UNION SELECT name FROM keys --
got the key-
logged in as The key is: literally online lolling on line WucGesJi

3dub - 4

Was a easy one but wasted more than 6 hours in this still managed NOT to get the key. Like a BOSS XD

File name and the access code..
it opened for usernmaes.txt with accesscode - 60635c6862d44e8ac17dc5e144c66539.
But no access fro passwords.txt with the same accesscode.

Found that accesscode=md5(filename)

Opened the passwords.txt i was shocked to see everything was SHA-512/SALT hashing.
Thought i would move on to next one than decrypting these passwords.
But that would be lame to hash to that extent. That was a distraction. :p

Time to brute force the filename. Found
key.txt with accesscode - 65c2a527098e1f7747eec58e1925b453

Content of key.txt-
2GXuC0wS4O1MI8OpuoV1NkjsMM6zkzLpcQfOpMKniiogUoCS3yhTyZbm8a9BCEgHdl19bWEMziZiZDbLI+V2dQ==
By looking at the content of key.txt it was base64. Decoded with online base64 deocder. Got invalid ascii code not the key!

content of key.txt was changing with time. Suspected functions - time() and rand().
Major time waste here.

Afterwards i gave the getfile.php which was helping us to opne the file.
getfile.php with accesscode- 0701593e23e676eaba834916a6ac7272.

Contents of getfile.php-

Acces granted to getfile.php!


$value = time();
$filename = $_GET["filename"];
$accesscode = $_GET["accesscode"];
if (md5($filename) == $accesscode){
echo "Acces granted to $filename!

";
srand($value);
if (in_array($filename, array('getfile.php', 'index.html', 'key.txt', 'login.php', 'passwords.txt', 'usernames.txt'))==TRUE){
$data = file_get_contents($filename);
if ($data !== FALSE) {
if ($filename == "key.txt") {
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
echo base64_encode($cyphertext);
}
else{
echo nl2br($data);
}

}
else{
echo "File does not exist";
}
}
else{
echo "File does not exist";
}

}
else{
echo "Invalid access code";
}
?>

```````````````````````````````````````````````````
***k it! 'm going to sleep. But i dint. Because I have wasted a lot of time on this..
This needed a Brute force. No way for manually doing that.

Brute force script in PHP -
<?php
error_reporting(0); 
for ($key = 0; $key <= getrandmax(); $key++) 
{

$text="5HHOwWMXYH5UxvzIzxqMY3vuwyCJ5BVdzwm5puqduZrsPTxfsFNKXXMlwhZj5W/1o  Sv3ENrCpbIMF9cJQ5Gndg==";

$data=mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($text),           MCRYPT_MODE_CBC);

echo $data;
echo "<br>";
}
?>

Dump of brute force.

Search for the string with starting "the key is".
No match found. No idea WHY?

Waiting for other Writeups from pros to find my mistake.

Any suggestions, please comment.

Update on 18-06-2013-->

With the help of the comment by CĂ©lestin Perdu got to know where i had missed the point.

You can use ZAP or Burp Suite anything. Get the date and time of the response, convert it to linux timestamp.

$ date -d "which you got from the tool" +% s

Use this value as key. And you should get the flag.

Thanks for reading. Suggestion and comments welcomed!

Wednesday, 12 June 2013

InCTF'13 [Amrita Cyber Security]


National level Capture the flag contest targeting only for Undergraduate, graduate and post-graduate level students.

This CTF is meant just for learning and getting more good teams from India into world finals in CTF contest.
FYI: CTF means capture the flag.

I would recommend any one interested in computer's to give this CTF a try. They teach you through the process. But yeah! HARD WORK is expected from you. And you should have some programming knowledge. Doesn't matter from which branch/stream of specialisation you are doing. Don't think its meant only for geeks from computer science branch. I'm from Electronics and Communication background still took a respectable position in InCTF'13 --> second position. Even if you are from mechanical background still fascinated about these computer stuff. Then go ahead start off with InCTF.

As i have said earlier InCTF aims more on learning.
This is how InCTF works->

1st round -

  • Purely meant for learning.
  • Designed smartly by the admins/organisers of InCTF, to divide the work between the team members. Everyone can't be good in everything so you got to stick the topics which you choose to take in this round. And become good at it.
  • Topics- Basics of Linux, SQL [ Web Based ], secure programming, Reverse Engineering, Cryptography.
This round is not mandatory but I STRONGLY RECOMMEND to take this round seriously and use it to learn. Because the organisers are ready to help to any time during 1st round.

The tool needed to finish this round successfully is GOOGLE.

2nd round - Jeopardy type.

Qualification round for National level finals i.e main CTF game.

This time they gave us 1 week time duration UNLIKE other CTF's which has 1-2days.
This round is damn interesting because for noobs like US, we need to learn and then use that knowledge to complete the tasks. So utilized this round also for learning.

I saw that many teams where giving up because they had NO CLUE about how to even look at the tasks. Even when we opened the task, we were BLANK. But according to me what you need is just PATIENCE and DETERMINATION. That's all, you can solve 80% of tasks in all categories. What you need is just patience and determination. Any time you can walk into their IRC and query them if you are on your right path for solving a particular task or not.


3rd round - Capture the flag



Time to implement! Time to test what you have learnt!

1st day you will have a mock round, which gives an idea about what to do the next day. Basically aimed at not wasting the time on the contest day. Every minute matters in the finals.

Basically you will have to exploit the different types of services to get the flag.

Your team will be scored/valued on your

  1. Defence - your patching work.
  2. Offence - exploiting other team services and submitting their precious flags :p
  3. Ethical - reporting advisories.
That's all about InCTF.

We participated with the team name r00t. 
Team members-
  • y0g1337h - Yogeesh Seralthan,
  • vn4v1n - Movnavinothan V &
  • x7r0n - Adithya Naresh.
1st round we divided the work and learnt.
2nd round. LANing up is very important. We LANed up in our college hostel [ Amrita School of Engineering ] :p
3rd round. We had awesome fun exploiting services, patching them, and reporting the vulnerabilities.

Thanks for organising such a awesome event -
Arvind S Raj, Seshagiri Prabhu, Bithin Alangot.
They represent the team bi0s. One of the 1337 team in INDIA.

Pic of the trophy we earned in InCTF'13



So what are you waiting for. Form a team and start working. earn the trophy + good cash prize + respect + knowledge + recognition.

http://inctf.in/gallery/inctf13.html

Useful link-


mailto: contact@inctf.in
http://www.inctf.in
Google groups secure-codein@googlegroups.com

Feel free to comment.