[oss] DCTF 2015 Final
Cernica
ionut.cernica at gmail.com
Thu Nov 26 11:12:44 EET 2015
Hello,
I participated last week at DCTF, CTF organized by CCSIR. Was the local
stage (onsite) and came 15 teams:
Dragon Sector 13 tasks -> 3117 points
Tasteless 13 tasks -> 3111 points
FluxFingers 13 tasks -> 3111 points
Hertz 13 tasks -> 3109 points
HackingForSoju 13 tasks -> 3105 points
Bushwhackers 12 tasks -> 2709 points
Toxic 11 tasks -> 2600 points
Scryptos 10 tasks -> 2310 points
Vulturii 10 tasks -> 2205 points
Dcua 10 tasks -> 2202 points
P4 10 tasks -> 2200 points
BalalaikaCr3w 10 tasks -> 2000 points
Pwn.ro 8 tasks -> 1600 points
Shellphish 6 tasks -> 1002 points
BambooFox 6 tasks -> 900 points
Our team is "Vulturii", we managed to do 10 tasks and achieved 2205 points.
Team Memebers:
Vladimir Diaconescu Solved: 2 tasks
Catalin Irimie Solved: 2 tasks
Radu Caragea Solved: 2 tasks
Cernica Ionut Solved: 2 tasks Web300 and Web400
Alexandru Dimos Solved: 2 tasks
I was very close to solve Bonus400 (I knew how to do but we needed 5
minutes more). It wasn't as hard as I was thinking, but it was too late
when I figured it out.
Web300:
It was given an archive, a wordpress, and for each .php file they removed
comments and the code has been written on a single line.
I Googled for a php command that does this and found it:
php --strip file.php > file2.php
I downloaded the wordpress and I installed it among with all the plugins.
With a script in python I went through each file and I executed the above
command.
When we made diff on the two directories with same wordpress, only a single
file was different (class.akismet.php).
In that .php file I found a backdoor and I was able to execute system
commands.
Web400:
We were given a web application that takes two parameters "s" and "k". When
making a request to the server, the php script verify if there is parameter
"k" set and if so the value of parameter "s" will be encrypted with
AES256-CBC and make a SQL query, if "k" doesn't exists, take the value of
"s", make some input validation on it and then make that SQL query.
After several tests we realized that "s" is encrypted with AES256-CBC using
as key the value from parameter "k".
We must decrypt SQL queries so when the server would encrypt what you just
decrypted, would be the desired SQL query.
We managed to get SQL Injection and we were able to extract the flag.
I found it odd that pycrypto-AES256-CBC implementation isn't same as
implementation of the mcrypt AES256-CBC from php.
All the best,
Cernica Ionut
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cursuri.cs.pub.ro/pipermail/oss/attachments/20151126/28f9d138/attachment.html>
More information about the oss
mailing list