30
Sep
2012

CSAW 2012 – Web 600

No challenge description
http://128.238.66.216/eccbc87e4b5ce2fe28308fd9f2a7baf3/

The website
http://128.238.66.216/eccbc87e4b5ce2fe28308fd9f2a7baf3/

Gives us a directory listing with two files:

[ ]	submit.php	29-Sep-2012 15:54 	224 	 
[ ]	submit.phps	29-Sep-2012 15:56 	224 	 

{Read More}

30
Sep
2012

CSAW 2012 – Web 500

Web 500 is a challenge to break into a website called Derpsoft’s Noderper diagnostics front-end.

Browsing the website for a few minutes with a HTTP intercept proxy (in this case Burp) revealed a number of vulnerabilities:
– When opening a non-existing file the full-path is disclosed: {“errno”:34,”code”:”ENOENT”,”path”:”/opt/noderp/htdocs//abc”}
– The site is vulnerable to directory traversal, for example GET /../../../../etc/passwd can be used to obtain a copy of the UNIX passwd file
– There is a JSON handler which can process requests, that will download a node program (either in javascript or compiled form) and execute it on the server.

That’s quite a lot to work with!
{Read More}

30
Sep
2012

CSAW 2012 – Web 200

A simple web-based challenge, where anyone can create their own account and login. The goal is to login as Administrator, but we don’t know the password 🙁

The source code for the login.php file is provided:

<?php
    $good = true;
    include('mysql.php');
    $key = 'key{...}';
    $auth = false;
    $admin = false;
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        $mysql->real_query('SELECT * FROM `csaw`.`users` 
           WHERE `user` LIKE "' . 
          $mysql->real_escape_string($_POST['user']) . '";');
        if ($mysql->errno != 0) {
            echo('Error.');
        } else {
            $result = $mysql->store_result();
            while ($row = $result->fetch_assoc()) {
                if ( $_POST['pass'] == $row['pass'] ) {
                    $auth = true;
                }
                if ( $row['user'] == 'Administrator' ) {
                    $admin = true;
                }
            }
        }
        if ( $auth && $admin ) {
            echo( $key );
        }
    }
?>

The user parameter is escaped so we can’t easily inject SQL code, however the query uses LIKE which accepts % as a wildcard. If we supply username a% all records beginning with a will be returned. Since administrator begins with a the admin flag will be set. If we also know the password of a single user which starts with a the auth flag will also be set and we’re in.

We solved it by registering an account called abc with password abc and logging in with username a% and password abc.

This yields the flag: key{6e6a5f85aa6880aa3d4bd1f0477b149d}

02
May
2012

Plaid CTF 2012 – Paste

Robot hackers, like their human counter parts, have a largely unmet need to dump large amounts of text to their peers. We recently got access to one of their servers and are providing you with the files. What have they been talking about?
Title: Paste (100)
Category: Practical Packets

This challenge is a webapplication, a pastebin for robot hackers. Luckily the humans got the source code. It contains an admin cookie employing the well known ‘security by obscurity’ method, a questionable preg_replace statement using eval mode and an unchecked require. What can we do with those?
{Read More}

26
Feb
2012

CODEGATE 2012 – Vuln 200

Get a shell if you can!

This is a web application where you can upload an image. Cute. We tried uploading a JPG file with a PHP payload appended and called it kittens.jpg.php, and low and behold it worked! 🙂

{Read More}

26
Jan
2012

MozillaCTF 2012 – Sharkpedia (400)

Sharkpedia was a webchallenge that frustrated us at first. But like anything, it’s easy once you know how 🙂

The code for Sharkpedia (which we grabbed atfer we solved it, no way around that):

<?php
$param = @$_GET['p'];

$mode = preg_replace('/[^\w]/', '', $param);

include('textcontainer.php'); // actual content

$functions = array(
	'a' => @create_function('', "return '<h2>$param: $textcontainer[0]';"),
	'b' => @create_function('', "return '<h2>$param: $textcontainer[1]';"),
	'c' => @create_function('', "return '<h2>$param: $textcontainer[2]';")
);
$links = '';
foreach($functions as $char=>$code)
	$links.= "<a href=\"?p=$char\">$char</a>, ";
$links = substr($links, 0, -2);

if(empty($mode) || !isset($functions[$mode]))
{
	echo "<p>The following functions are available: " . $links;
    echo "</p>";
	exit;
}

echo "<h2>Result</h2>";
echo $functions[$mode]();
echo "<p><a href=\"?p=\">back</a></p>";

?>

{Read More}