Wednesday 3 October 2012

CSAW 2012 CTF - WEB 300 - Writeup


For this problem, we were given login credentials and told the administrator has the key. After mapping the application and trying some test inputs it was clear that there was a SQL injection in the horse.php page for the id parameter, the errors were readily displayed. .

sqlmap made short work of dumping the database structure

./sqlmap.py -u http://128.238.66.217/horse.php?id=1 –dump-all

<...snip...>
Database: csaw_chal1
Table: sessions
[0 entries]
+---------+------------+---------+
| user_id | session_id | session |
+---------+------------+---------+
+---------+------------+---------+
<...snip...>

Database: csaw_chal1
Table: users
[0 entries]
+---------+------+-------+----------+----------+
| user_id | name | level | username | password |
+---------+------+-------+----------+----------+
+---------+------+-------+----------+----------+

Unfortunately due to the “WAF” the database contents weren't automatically dumped. After some manual attempts a suitable bypass was found. The password hash for the administrator user (Mr. Corgi) was retrieved from the users table. I let john attempt to crack it for awhile while I finished off the reversing problems. However after a hour or so the password wasn't cracked, so I looked at impersonating the administrator. Fortunately in the sessions table there was a active session for the admin user.
  



Using burp, I used the extracted session key to impersonate the admin user, which produced the key. 



Some other great write-ups on CSAW 2012.

http://eindbazen.net/
http://blog.lse.epita.fr/cat/writeups-csaw-ctf-2012-quals/
http://raidersec.blogspot.ca/2012/09/csaw-ctf-quals-2012-recon-1-3-writeup.html

Thanks again to the CSAW folks for putting this together.

Posted by at No comments:
Labels:

Monday 1 October 2012

CSAW 2012 CTF - WEB 600 – Write Up


After accessing the challenge website, one was presented with a directory listing containing two files submit.php and submit.phps. It was possible to view the contents of submit.phps (below), furthermore both files were the same size. 

<?php
$key = "key{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}";
$pass = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
echo $_GET['pass'];
if ( strcasecmp( $_GET['pass'], $pass ) == 0 ) {
echo($key);
echo "got it";
}
?>

It's apparent the program will compare a GET parameter named pass against a hardcoded string using the strcasecmp function, if the result of this comparison is 0 the key is displayed. Unfortunately the key was not a bunch of Xs. 

Focusing on the the strcasecmp function, where there other ways of making it output 0, besides the obvious case where the strings were equal.

A quick trip to php.net, yielded nothing useful for strcasecmp, however since this function is a wrapper for strcmp (I believe), I took a look there, and sure enough the first two comments yielded the answer.


In short in modern php versions, the function will return a 0, if any of the parameters is an array. So the following url was constructed to create array for pass.


The key was:
key{this_is_how_our_scoreboard_was_owned_last_night}

And let me just add that this was a really fun CTF and great weekend, well worth working to well past sun up. I look forward to CSAW each year. Anyone who is interested in security and especially CTFs, I always recommend CSAW as the questions start accessible and ramp up to quite challenging. (Although I did miss having to call for Dan's burritos this year)
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)