30
Dec
2012

29C3 CTF – pwsafe

https://29c3ctf.aachen.ccc.de/challenges/12/
Points 300
Description
No space left on brain? Store all your passwords and other secrets here and you will never forget your birthday again πŸ™‚ (http://94.45.252.238/)

The website in this challenge allowed us to create an user and use it to access the website. On the website information could be stored. There also seemed to be a /admin/ which would give the message “Access denied, only user admin has access”. While analyzing the website we found a really long session Cookie we would receive from the webserver. It seems this Cookie consisted of 3 separate MD5 hashes in one string. After looking in to these hashes a bit more and when they would change we found out that the MD5s were made of:

[MD5][MD5(username)][MD5(user IP)]


The idea was, that if we want to get to the admin page we needed to change the cookie to:

[MD5][MD5('admin')][MD5(admin IP)]

The MD5 value of the word ‘admin’ is 21232f297a57a5a743894a0e4a801fc3, now we only need the IP of the admin user, which was a bit harder to find. But on the server there was a server-status page (http://94.45.252.238/server-status), which showed us:

036580/285/34514_0.084200000.00.072.42 1.2.3.4 127.0.0.1 GET /admin/ HTTP/1.1

It seems that the IP of admin is 1.2.3.4, using the IP in our request will result in retrieving the flag:

curl -s -b "session=954a33ddafa959cf59247cd21b4cc16321232f297a57a5a743894a0e4a801fc3`echo -n "1.2.3.4"|md5sum|awk '{printf $1}'`" http://94.45.252.238/
<tr><td colspan="2"><textarea name="content">You did it.
29C3_PleasePutAllYourPasswordsHereItIsGood
Bye.</textarea></td></tr>

FLAG: 29C3_PleasePutAllYourPasswordsHereItIsGood

Comments are closed.