30
Sep
2012

CSAW 2012 – Reversing 200

Reversing 200 a .NET commandline executable (CSAWQualificationEasy.exe) that printed the following string: “Okay, going to compute the key. Have to remember to write it out at the end! I keep forgetting!”. After that it seems to wait for some input before exitting.. odd..

Let’s decompile this program and have a look what’s going on.
{Read More}

30
Sep
2012

CSAW 2012 – Reversing 100

Reversing 100 is a Windows 32bit PE executable. When you run it displays a MessageBox containing “Encrypted Key: “. Once you close the MessageBox the program exits.
{Read More}

30
Sep
2012

CSAW 2012 – Web 600

No challenge description
http://128.238.66.216/eccbc87e4b5ce2fe28308fd9f2a7baf3/

The website
http://128.238.66.216/eccbc87e4b5ce2fe28308fd9f2a7baf3/

Gives us a directory listing with two files:

[ ]	submit.php	29-Sep-2012 15:54 	224 	 
[ ]	submit.phps	29-Sep-2012 15:56 	224 	 

{Read More}

30
Sep
2012

CSAW 2012 – Web 500

Web 500 is a challenge to break into a website called Derpsoft’s Noderper diagnostics front-end.

Browsing the website for a few minutes with a HTTP intercept proxy (in this case Burp) revealed a number of vulnerabilities:
– When opening a non-existing file the full-path is disclosed: {“errno”:34,”code”:”ENOENT”,”path”:”/opt/noderp/htdocs//abc”}
– The site is vulnerable to directory traversal, for example GET /../../../../etc/passwd can be used to obtain a copy of the UNIX passwd file
– There is a JSON handler which can process requests, that will download a node program (either in javascript or compiled form) and execute it on the server.

That’s quite a lot to work with!
{Read More}

30
Sep
2012

CSAW 2012 – Reversing 300

We’re given a Windows .NET executable (CSAWQualification.exe).

Let’s run it:
Do you really just run random binaries given to you in challenges?

{Read More}

30
Sep
2012

CSAW 2012 – Web 200

A simple web-based challenge, where anyone can create their own account and login. The goal is to login as Administrator, but we don’t know the password 🙁

The source code for the login.php file is provided:

<?php
    $good = true;
    include('mysql.php');
    $key = 'key{...}';
    $auth = false;
    $admin = false;
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        $mysql->real_query('SELECT * FROM `csaw`.`users` 
           WHERE `user` LIKE "' . 
          $mysql->real_escape_string($_POST['user']) . '";');
        if ($mysql->errno != 0) {
            echo('Error.');
        } else {
            $result = $mysql->store_result();
            while ($row = $result->fetch_assoc()) {
                if ( $_POST['pass'] == $row['pass'] ) {
                    $auth = true;
                }
                if ( $row['user'] == 'Administrator' ) {
                    $admin = true;
                }
            }
        }
        if ( $auth && $admin ) {
            echo( $key );
        }
    }
?>

The user parameter is escaped so we can’t easily inject SQL code, however the query uses LIKE which accepts % as a wildcard. If we supply username a% all records beginning with a will be returned. Since administrator begins with a the admin flag will be set. If we also know the password of a single user which starts with a the auth flag will also be set and we’re in.

We solved it by registering an account called abc with password abc and logging in with username a% and password abc.

This yields the flag: key{6e6a5f85aa6880aa3d4bd1f0477b149d}

30
Sep
2012

CSAW 2012 – Web 100

http://128.238.66.216/c4ca4238a0b923820dcc509a6f75849b/
Lara Anderton needs to break into PreCrime to free her husband, but they just installed a fancy new security system. Help her break into it!

The website http://128.238.66.216/c4ca4238a0b923820dcc509a6f75849b/ shows us the following login screen:
{Read More}