In this level we are said that our challange is login with administrator role in a service listening on hackyou2014tasks.ctf.su 7777 We are given the following source code:
#!/usr/bin/python from math import sin from urlparse import parse_qs from base64 import b64encode from base64 import b64decode from re import match SALT = '' USERS = set() KEY = ''.decode('hex') def xor(a, b): return ''.join(map(lambda x : chr(ord(x[0]) ^ ord(x[1])), zip(a, b * 100))) def hashme(s): #my secure hash function def F(X,Y,Z): return ((~X & Z) | (~X & Z)) & 0xFFFFFFFF def G(X,Y,Z): return ((X & Z) | (~Z & Y)) & 0xFFFFFFFF def H(X,Y,Z): return (X ^ Y ^ Y) & 0xFFFFFFFF def I(X,Y,Z): return (Y ^ (~Z | X)) & 0xFFFFFFFF def ROL(X,Y): return (X << Y | X >> (32 - Y)) & 0xFFFFFFFF A = 0x67452301 B = 0xEFCDAB89 C = 0x98BADCFE D = 0x10325476 X = [int(0xFFFFFFFF * sin(i)) & 0xFFFFFFFF for i in xrange(256)] for i,ch in enumerate(s): k, l = ord(ch), i & 0x1f A = (B + ROL(A + F(B,C,D) + X[k], l)) & 0xFFFFFFFF B = (C + ROL(B + G(C,D,A) + X[k], l)) & 0xFFFFFFFF C = (D + ROL(C + H(D,A,B) + X[k], l)) & 0xFFFFFFFF D = (A + ROL(D + I(A,B,C) + X[k], l)) & 0xFFFFFFFF return ''.
In this level we are asked to break a code and decrypt msg002.enc. We are given the encryptor code without the key:
#include <stdlib.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { if (argc != 3) { printf("USAGE: %s INPUT OUTPUT\n", argv[0]); return 0; } FILE* input = fopen(argv[1], "rb"); FILE* output = fopen(argv[2], "wb"); if (!input || !output) { printf("Error\n"); return 0; } char k[] = "CENSORED"; char c, p, t = 0; int i = 0; while ((p = fgetc(input)) !
In this level we are presented with some logos we can vote.
If we look at the source code we can see an interesting comment:
... <!-- TODO: remove index.phps --> ... We can grab the source code:
<?php include 'db.php'; session_start(); if (!isset($_SESSION['login'])) { $_SESSION['login'] = 'guest'.mt_rand(1e5, 1e6); } $login = $_SESSION['login']; if (isset($_POST['submit'])) { if (!isset($_POST['id'], $_POST['vote']) || !is_numeric($_POST['id'])) die('Hacking attempt!'); $id = $_POST['id']; $vote = (int)$_POST['vote']; if ($vote > 5 || $vote < 1) $vote = 1; $q = mysql_query("INSERT INTO vote VALUES ({$id}, {$vote}, '{$login}')"); $q = mysql_query("SELECT id FROM vote WHERE user = '{$login}' GROUP BY id"); echo '<p><b>Thank you!
In this level we are presented with a typical Snake game.
I spent a couple of hours deofuscating the javascript code until I was capable of submitting any score. Nice but useless. I also found out that I could fake the IP associated to the score using the X-Forwarded-For header. That was pretty much it until the CTF was about to finish when I was given the hint: “../”. I could use it to locate a LFI vulnerability that was affecting the index.
In this [level]() we were presented with an online shop:
The task name was “AngryBird” and this was very relevant to solve the challange! It actually comes down to two parts:
Finding a hidden admin area Exploiting a blind SQLi to get credentials Finding the hidden admin area We were given the following description:
Some web-developers still host their sites on Windows platform, and think that it is secure enough
These are my solutions to Erling Ellingsen escape.alf.nu XSS challenges. I found them very interesting and I learnt a lot from them (especially from the last ones published in this post). Im publishing my results since the game has been online for a long time now and there are already some sites with partial results.
My suggestion, if you havent done it so far, is to go and try to solve them by yourselves….
These are my solutions to Erling Ellingsen escape.alf.nu XSS challenges. I found them very interesting and I learnt a lot from them (especially from the last ones to be published in Part 2). Im publishing my results since the game has been online for a long time now and there are already some sites with partial results.
My suggestion, if you havent done it so far, is to go and try to solve them by yourselves….
In this level we have to bypass a bunch of protections:
The stack based vulnerability is easy to find. It is in the base64_decode() function. It takes the output buffer length as an argument, but the it overwrites it with a new value based on the input buffer length. So we are going to be able to control how many bytes we want to write in the output buffer:
*output_length = input_length / 4 * 3; Now in order to send a valid request we need to provide a password the server generates when it loads but then it reuses for every connection.
Fusion level03 In this level we have to bypass ASLR and NX again:
Before going into the stack overflow details, lets get a valid request to the server. When we connect to the server we are presented with a token that is later used to calculate the MAC code of our request.
HMAC(EVP_sha1(), token, strlen(token), gRequest, gRequestSize, result, &len); The application is calculating the MAC of whatever is stored in “gRequest” (token+JSON request) using SHA1 as the hashing algorithm, “token” as the encryption key and store the MAC in the memory pointed by “result”.
Fusion level02 This level has the following protections:
And the code looks like:
#include "../common/common.c" #define XORSZ 32 void cipher(unsigned char *blah, size_t len) { static int keyed; static unsigned int keybuf[XORSZ]; int blocks; unsigned int *blahi, j; if(keyed == 0) { int fd; fd = open("/dev/urandom", O_RDONLY); if(read(fd, &keybuf, sizeof(keybuf)) != sizeof(keybuf)) exit(EXIT_FAILURE); close(fd); keyed = 1; } blahi = (unsigned int *)(blah); blocks = (len / 4); if(len & 3) blocks += 1; for(j = 0; j < blocks; j++) { blahi[j] ^= keybuf[j % XORSZ]; } } void encrypt_file() { // http://thedailywtf.
