LSE Blog

Operating systems, computer security, languages theory, and even more!

  • About us

    • Main website
    • Git repositories
    • @lse_epita

    RSS Feed

  • Categories
    • Events
    • Language
    • Reverse Engineering
    • Security
    • Tutorials
      • Parallelism
    • Writeups
      • CSAW CTF 2012 Quals
      • DEFCON2K12 Prequals
      • SecuInside2K12 Prequals
      • NDH2K12 Prequals
      • Hack.lu CTF 2012
      • NDH2K13 Quals
      • PlaidCTF 2012
  • Authors
    • Gabriel Laskar
    • Bruno Pujos
    • Remi Audebert
    • Pierre Bourdon
    • Franck Michea
    • Ivan Delalande
    • Clement Rouault
    • Samuel Chevet
    • Nicolas Hureau
    • Marwan Burelle
    • Pierre-Marie de Rodat

  • CSAW CTF 2012: for200-500/net100-200/re100-400/web100-300/web600 writeups

    Written by Pierre Bourdon
    October 01, 2012 at 00:00

    This article regroups writeups for several challenges which did not deserve a full article.

    for200 (1)

    When you decode the chunks of the PNG file individually only one has a CRC error. It contains text which is the key to submit.

    for200 (2)

    When you decode the chunks of the PNG file individually only one text chunk has no CRC error. It contains text which is the key to submit.

    for500

    strings

    net100

    Open with Wireshark, "Follow TCP Stream" and notice a password being sent to a telnet server. This is the key.

    net200

    Find the POST request to a <form> on the New York bar website. The text sent with that form contains the key.

    re100

    Open the executable with IDA, notice a function that does c XOR 0xFF on every byte of a string, locate the string, apply the xor, get the key.

    re200

    Open the executable with Reflector, notice a function that does a XOR once again, reverse the operation, get the key.

    re300

    A bit more complicated this time: the decryption function needs a key, and the only thing we know is that the MD5 of the key is ff97a9fdede09eaf6e1c8ec9f6a61dd5. A Google Search tells us that this is MD5(Intel). This is still not the final key: the program uses that to decrypt a buffer using AES. Doing the same gives us the key to submit.

    re400

    Open the binary with IDA, notice a decrypt function that does NOT c, locate the string, apply the NOT, get the key.

    web100

    The auth is done through a cookie. Modify it (set username to admin), done.

    web200

    The SQL query allows us to inject something mysqli_real_escape'd in a LIKE clause, including % and _. We can use that to select multiple users and have one matching the $auth condition (valid password, we register him) and one matching the $admin condition (username == Administrator).

    web300

    There is an SQL injection on the horses.php page. You can't normally use the select or union keywords (blacklisted), but if there is an equal sign before the keyword in the request it somehow works. From there we listed the tables in INFORMATION_SCHEMA, found a sessions table containing a session for the admin user, used it to get the key. This was not the way the author expected people to solve his exercise and this bug was fixed during CTF.

    web600

    In PHP strcmp/strcasecmp with an array fails and returns 0. We can use that to bypass the check and get the key to be printed.

    Tweet
    Permalink & comments
    blog comments powered by Disqus

© LSE 2012 — Main website — RSS Feed