[oss] DCTF 2015 Final

Cernica ionut.cernica at gmail.com
Thu Nov 26 11:12:44 EET 2015 

Hello,

I participated last week at DCTF, CTF organized by CCSIR. Was the local
stage (onsite) and came 15 teams:
Dragon Sector        13 tasks -> 3117 points
Tasteless            13 tasks -> 3111 points
FluxFingers          13 tasks -> 3111 points
Hertz                13 tasks -> 3109 points
HackingForSoju       13 tasks -> 3105 points
Bushwhackers         12 tasks -> 2709 points
Toxic                11 tasks -> 2600 points
Scryptos             10 tasks -> 2310 points
Vulturii             10 tasks -> 2205 points
Dcua                 10 tasks -> 2202 points
P4                   10 tasks -> 2200 points
BalalaikaCr3w        10 tasks -> 2000 points
Pwn.ro                8 tasks -> 1600 points
Shellphish            6 tasks -> 1002 points
BambooFox             6 tasks -> 900  points


Our team is "Vulturii", we managed to do 10 tasks and achieved 2205 points.
Team Memebers:
Vladimir  Diaconescu Solved: 2 tasks
Catalin Irimie       Solved: 2 tasks
Radu Caragea         Solved: 2 tasks
Cernica Ionut        Solved: 2 tasks Web300 and Web400
Alexandru Dimos      Solved: 2 tasks


I was very close to solve Bonus400 (I knew how to do but we needed 5
minutes more). It wasn't as hard as I was thinking, but it was too late
when I figured it out.

Web300:
It was given an archive, a wordpress, and for each .php file they removed
comments and the code has been written on a single line.
I Googled for a php command that does this and found it:
php --strip file.php > file2.php

I downloaded the wordpress and I installed it among with all the plugins.
With a script in python I went through each file and I executed the above
command.
When we made diff on the two directories with same wordpress, only a single
file was different (class.akismet.php).

In that .php file I found a backdoor and I was able to execute system
commands.



Web400:
We were given a web application that takes two parameters "s" and "k". When
making a request to the server, the php script verify if there is parameter
"k" set and if so the value of parameter "s" will be encrypted  with
AES256-CBC and make a SQL query, if "k" doesn't exists, take the value of
"s", make some input validation on it and then make that SQL query.
After several tests we realized that "s" is encrypted with AES256-CBC using
as key the value from parameter "k".

We must decrypt SQL queries so when the server would encrypt what you just
decrypted, would be the desired SQL query.
We managed to get SQL Injection and we were able to extract the flag.

I found it odd that pycrypto-AES256-CBC implementation isn't same as
implementation of the mcrypt AES256-CBC from php.



All the best,
Cernica Ionut
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cursuri.cs.pub.ro/pipermail/oss/attachments/20151126/28f9d138/attachment.html>

More information about the oss mailing list