30
Sep
2012

CSAW 2012 – Web 200

A simple web-based challenge, where anyone can create their own account and login. The goal is to login as Administrator, but we don’t know the password πŸ™

The source code for the login.php file is provided:

<?php
    $good = true;
    include('mysql.php');
    $key = 'key{...}';
    $auth = false;
    $admin = false;
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        $mysql->real_query('SELECT * FROM `csaw`.`users` 
           WHERE `user` LIKE "' . 
          $mysql->real_escape_string($_POST['user']) . '";');
        if ($mysql->errno != 0) {
            echo('Error.');
        } else {
            $result = $mysql->store_result();
            while ($row = $result->fetch_assoc()) {
                if ( $_POST['pass'] == $row['pass'] ) {
                    $auth = true;
                }
                if ( $row['user'] == 'Administrator' ) {
                    $admin = true;
                }
            }
        }
        if ( $auth && $admin ) {
            echo( $key );
        }
    }
?>

The user parameter is escaped so we can’t easily inject SQL code, however the query uses LIKE which accepts % as a wildcard. If we supply username a% all records beginning with a will be returned. Since administrator begins with a the admin flag will be set. If we also know the password of a single user which starts with a the auth flag will also be set and we’re in.

We solved it by registering an account called abc with password abc and logging in with username a% and password abc.

This yields the flag: key{6e6a5f85aa6880aa3d4bd1f0477b149d}

02
May
2012

Plaid CTF 2012 – Paste

Robot hackers, like their human counter parts, have a largely unmet need to dump large amounts of text to their peers. We recently got access to one of their servers and are providing you with the files. What have they been talking about?
Title: Paste (100)
Category: Practical Packets

This challenge is a webapplication, a pastebin for robot hackers. Luckily the humans got the source code. It contains an admin cookie employing the well known ‘security by obscurity’ method, a questionable preg_replace statement using eval mode and an unchecked require. What can we do with those?
{Read More}

26
Feb
2012

CODEGATE 2012 – Vuln 200

Get a shell if you can!

This is a web application where you can upload an image. Cute. We tried uploading a JPG file with a PHP payload appended and called it kittens.jpg.php, and low and behold it worked! πŸ™‚

{Read More}

26
Jan
2012

MozillaCTF 2012 – Sharkpedia (400)

Sharkpedia was a webchallenge that frustrated us at first. But like anything, it’s easy once you know how πŸ™‚

The code for Sharkpedia (which we grabbed atfer we solved it, no way around that):

<?php
$param = @$_GET['p'];

$mode = preg_replace('/[^\w]/', '', $param);

include('textcontainer.php'); // actual content

$functions = array(
	'a' => @create_function('', "return '<h2>$param: $textcontainer[0]';"),
	'b' => @create_function('', "return '<h2>$param: $textcontainer[1]';"),
	'c' => @create_function('', "return '<h2>$param: $textcontainer[2]';")
);
$links = '';
foreach($functions as $char=>$code)
	$links.= "<a href=\"?p=$char\">$char</a>, ";
$links = substr($links, 0, -2);

if(empty($mode) || !isset($functions[$mode]))
{
	echo "<p>The following functions are available: " . $links;
    echo "</p>";
	exit;
}

echo "<h2>Result</h2>";
echo $functions[$mode]();
echo "<p><a href=\"?p=\">back</a></p>";

?>

{Read More}