30
Dec
2012

29C3 CTF – memcached

Points: 600
This is a truely unbreakable, genuine, RFC-compliant memcached implementation. Find it running at 94.45.252.230:1024

This challenge consists of a 32-bit executable providing a memcached implementation. It allows us to store and retrieve data.
{Read More}

30
Dec
2012

29C3 CTF – update_server

Points: 300
Never let your customers miss an important security update! Buy this update server and you even get admin rights! Running on 94.45.252.235 1024

Update server is a utility that can be used by programs to check whether a new update is available.
A program can send its current version number, and the utility will indicate if it is up to date or if an update is available.
It is also possible to update the version information, if a valid admin password is provided.
{Read More}

30
Dec
2012

29C3 CTF – Proxy

Proxy is an authenticated http proxy (but a very simple one). It uses the system’s PAM authentication to verify username/password, so unless you already have a valid login on the server you won’t be able to give it a correct password. this probably means the vulnerability is somewhere before the authentication check.

And in fact, there is indeed a nice overflow in the http parsing code:

 8049035:        89 44 24 08                  mov    DWORD PTR [esp+0x8],eax
 8049039:        8b 85 b4 fb ff ff            mov    eax,DWORD PTR [ebp-0x44c]
 804903f:        89 44 24 04                  mov    DWORD PTR [esp+0x4],eax
 8049043:        8d 85 17 fc ff ff            lea    eax,[ebp-0x3e9]                        ; ebp-0x3e9 = auth str buf
 8049049:        89 04 24                     mov    DWORD PTR [esp],eax
 804904c:        e8 af fa ff ff               call   8048b00 <strncpy@plt> 

{Read More}

30
Dec
2012

29C3 CTF – Find the key

https://29c3ctf.aachen.ccc.de/challenges/3/
Points 300
Description: Oh god, I can’t wait for my flag… (https://29c3ctf.aachen.ccc.de/static/dl/algo.rar)

The ‘Find the key’ challenge is an ELF file (algo) which is a simple emulator which supports the instructions addition, subtraction, multiplication, division and modulo. After verifying all related functions and the fact that this is in fact what it’s capable of, we continued by analyzing the main routine.
The main routine starts by initializing some values. It then enters a loop in which it continuously does various operations. There’s a global table of length five, which contains the function addresses of the five instructions we mentioned earlier.
{Read More}

30
Dec
2012

29C3 CTF – pwsafe

https://29c3ctf.aachen.ccc.de/challenges/12/
Points 300
Description
No space left on brain? Store all your passwords and other secrets here and you will never forget your birthday again πŸ™‚ (http://94.45.252.238/)

The website in this challenge allowed us to create an user and use it to access the website. On the website information could be stored. There also seemed to be a /admin/ which would give the message “Access denied, only user admin has access”. While analyzing the website we found a really long session Cookie we would receive from the webserver. It seems this Cookie consisted of 3 separate MD5 hashes in one string. After looking in to these hashes a bit more and when they would change we found out that the MD5s were made of:

[MD5][MD5(username)][MD5(user IP)]

{Read More}

30
Dec
2012

29C3 CTF – shop

https://29c3ctf.aachen.ccc.de/challenges/15/
Points 400
Description
Leaks… Even the flag for this challenge got leaked to them… To the shop…
http://94.45.252.234/

The shop challenge consists of a webshop page with two items, a very cheap item and an item that costs 1337 euro. From the challenge description it is obvious that we need to buy the most expensive one to obtain the flag.
{Read More}

30
Dec
2012

29C3 CTF – Web 42

https://29c3ctf.aachen.ccc.de/challenges/14/
Points 600
Description: http://94.45.252.236/ (https://29c3ctf.aachen.ccc.de/static/dl/web42.tar)
HINTS:

  • class str(str)
  • This is an rce challenge
  • type(settings.SECRET_KEY)
  • For the web42 challenge we are given an archive containing some python files which form a django site. Almost all the pages are in the form of .py source, except for the settings file, which is given in the form of a .pyc bytecode file.
    {Read More}