In this level we were presented with an ELF 64bits executable, a good oportunity to exercise linux exploiting on 64bits systems and try Hopper for the first time :) When you run the binary, it begins listening in port 31415 (pi!) but if we try to connect, it complains about a missing user “gambino”. So we have to create the user. Once created, if we try to connect to the service we get nothing.
This is just a copy of the post I wrote in the HP corporate blog, but just wanted to post it as well to spread the word: While working on a JSF (Java Server Faces) test case recently I had one of those WAT?!?! moments - where something you take for granted starts behaving in a completely different way from how you expect. In this case it was even worse, since the behavior I was observing was breaking my application security and undermining the trust I place on libraries and frameworks as a developer.
We didnt have time to finish this task during the game since we decided to finish Freestyle 400 (scored in the last minute) but as I foound out later, we were close to finish it. In this level we were presented with a login form vulnerable to user enumeration. It was easy to see that admin was a valid user but we could not guess the password. After trying with other “normal” accounts like guest, dev and so on, we found that debug was a valid account and the password was debug.
In this task we were presented an audio file (similar.ogg) containg a signal that sounded like a Fax machine. Actually a Hint later published read 129 LPM (Lines per minute) so it looked like a RadioFax or HF Fax transmission. So we could use RadioFax software to extract the image being transmitted. We tried different tools like MultiPSK, MIXW and SeaTTY and finally got some “clear enough” images: and We saw the contents of a file being transmitted in something that looked like UUencoding:
I had the honour to participate with int3pids in the #Olympic CTF and these are the write ups of the Web tasks we solved. CURLing 200: Xnginx In this level we were presented with a simple web site where we could check some news First thing to notice is that the news URL is vulnerable to path transversal: http://220.127.116.11:27280/news/?f=31-12-2013 http://18.104.22.168:27280/news/?f=../../../../../etc/passwd Since the name of the task was xnginx I looked for the nginx configuration file:
There are many Struts 2 developers familiar with the Struts 2 development mode on which more verbose logs are produced and handy resource reloading is done on a request basis to avoid restarting the server every time we change a property, validator and so on. What it is not so well known (actually it doesn’t even appear in the Struts 2 devmode site) is that it enables a OGNL injection backdoor allowing the developers to check their Value Stacks with ease and from a handy OGNL console or request parameter.
OGNL is an expression language for getting and setting properties of Java objects, plus other extras such as list projection, selection, lambda expressions and method invocation. So if attackers can provide the OGNL engine with arbitrary OGNL expressions, they will be able to execute arbitrary code on the application server and/or access and modify any value stored in the Struts 2 value stack. Struts 2 provided an addition layer of protection by disabling static method invocation so that methods like java.
In this level we are said that: We have intercepted communication in a private network. It is used a strange protocol based on RSA cryptosystem. Can you still prove that it is not secure enough and get the flag? We are given a pcap file with a bunch of transmissions generated with this script: #!/usr/bin/python import sys import struct import zlib import socket class Client: def __init__(self, ip): #init self.
I did not solve this level during the CTF, but found it so interesting reading Xelenonz write-up that I couldnt help trying it myself just for the fun and since this blog is my personal notes, I decided to write it here for future reference, but all credits go to Xelenonz. We are given the code of a Image hostig web app. Reading the code we see how it handle the requests:
In this level we are presented with a crypto system based on Matrix operations: #!/usr/bin/python import random from struct import pack def Str2matrix(s): #convert string to 4x4 matrix return [map(lambda x : ord(x), list(s[i:i+4])) for i in xrange(0, len(s), 4)] def Matrix2str(m): #convert matrix to string return ''.join(map(lambda x : ''.join(map(lambda y : pack('!H', y), x)), m)) def Generate(password): #generate key matrix random.seed(password) return [[random.randint(0,64) for i in xrange(4)] for j in xrange(4)] def Multiply(A,B): #multiply two 4x4 matrix C = [[0 for i in xrange(4)] for j in xrange(4)] for i in xrange(4): for j in xrange(4): for k in xrange(4): C[i][j] += A[i][k] * B[k][j] return C def Encrypt(fname): #encrypt file key = Generate('') data = open(fname, 'rb').