In this level we are said that:
We have intercepted communication in a private network. It is used a strange protocol based on RSA cryptosystem.
Can you still prove that it is not secure enough and get the flag?
We are given a pcap file with a bunch of transmissions generated with this script:
#!/usr/bin/python import sys import struct import zlib import socket class Client: def __init__(self, ip): #init self.
I did not solve this level during the CTF, but found it so interesting reading Xelenonz write-up that I couldnt help trying it myself just for the fun and since this blog is my personal notes, I decided to write it here for future reference, but all credits go to Xelenonz.
We are given the code of a Image hostig web app. Reading the code we see how it handle the requests:
In this level we are presented with a crypto system based on Matrix operations:
#!/usr/bin/python import random from struct import pack def Str2matrix(s): #convert string to 4x4 matrix return [map(lambda x : ord(x), list(s[i:i+4])) for i in xrange(0, len(s), 4)] def Matrix2str(m): #convert matrix to string return ''.join(map(lambda x : ''.join(map(lambda y : pack('!H', y), x)), m)) def Generate(password): #generate key matrix random.seed(password) return [[random.randint(0,64) for i in xrange(4)] for j in xrange(4)] def Multiply(A,B): #multiply two 4x4 matrix C = [[0 for i in xrange(4)] for j in xrange(4)] for i in xrange(4): for j in xrange(4): for k in xrange(4): C[i][j] += A[i][k] * B[k][j] return C def Encrypt(fname): #encrypt file key = Generate('') data = open(fname, 'rb').
In this level we are said that our challange is login with administrator role in a service listening on hackyou2014tasks.ctf.su 7777 We are given the following source code:
#!/usr/bin/python from math import sin from urlparse import parse_qs from base64 import b64encode from base64 import b64decode from re import match SALT = '' USERS = set() KEY = ''.decode('hex') def xor(a, b): return ''.join(map(lambda x : chr(ord(x[0]) ^ ord(x[1])), zip(a, b * 100))) def hashme(s): #my secure hash function def F(X,Y,Z): return ((~X & Z) | (~X & Z)) & 0xFFFFFFFF def G(X,Y,Z): return ((X & Z) | (~Z & Y)) & 0xFFFFFFFF def H(X,Y,Z): return (X ^ Y ^ Y) & 0xFFFFFFFF def I(X,Y,Z): return (Y ^ (~Z | X)) & 0xFFFFFFFF def ROL(X,Y): return (X << Y | X >> (32 - Y)) & 0xFFFFFFFF A = 0x67452301 B = 0xEFCDAB89 C = 0x98BADCFE D = 0x10325476 X = [int(0xFFFFFFFF * sin(i)) & 0xFFFFFFFF for i in xrange(256)] for i,ch in enumerate(s): k, l = ord(ch), i & 0x1f A = (B + ROL(A + F(B,C,D) + X[k], l)) & 0xFFFFFFFF B = (C + ROL(B + G(C,D,A) + X[k], l)) & 0xFFFFFFFF C = (D + ROL(C + H(D,A,B) + X[k], l)) & 0xFFFFFFFF D = (A + ROL(D + I(A,B,C) + X[k], l)) & 0xFFFFFFFF return ''.
In this level we are asked to break a code and decrypt msg002.enc. We are given the encryptor code without the key:
#include <stdlib.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { if (argc != 3) { printf("USAGE: %s INPUT OUTPUT\n", argv[0]); return 0; } FILE* input = fopen(argv[1], "rb"); FILE* output = fopen(argv[2], "wb"); if (!input || !output) { printf("Error\n"); return 0; } char k[] = "CENSORED"; char c, p, t = 0; int i = 0; while ((p = fgetc(input)) !
In this level we are presented with some logos we can vote.
If we look at the source code we can see an interesting comment:
... <!-- TODO: remove index.phps --> ... We can grab the source code:
<?php include 'db.php'; session_start(); if (!isset($_SESSION['login'])) { $_SESSION['login'] = 'guest'.mt_rand(1e5, 1e6); } $login = $_SESSION['login']; if (isset($_POST['submit'])) { if (!isset($_POST['id'], $_POST['vote']) || !is_numeric($_POST['id'])) die('Hacking attempt!'); $id = $_POST['id']; $vote = (int)$_POST['vote']; if ($vote > 5 || $vote < 1) $vote = 1; $q = mysql_query("INSERT INTO vote VALUES ({$id}, {$vote}, '{$login}')"); $q = mysql_query("SELECT id FROM vote WHERE user = '{$login}' GROUP BY id"); echo '<p><b>Thank you!
In this level we are presented with a typical Snake game.
I spent a couple of hours deofuscating the javascript code until I was capable of submitting any score. Nice but useless. I also found out that I could fake the IP associated to the score using the X-Forwarded-For header. That was pretty much it until the CTF was about to finish when I was given the hint: “../”. I could use it to locate a LFI vulnerability that was affecting the index.
In this [level]() we were presented with an online shop:
The task name was “AngryBird” and this was very relevant to solve the challange! It actually comes down to two parts:
Finding a hidden admin area Exploiting a blind SQLi to get credentials Finding the hidden admin area We were given the following description:
Some web-developers still host their sites on Windows platform, and think that it is secure enough