CSAW CTF 2012: for200-500/net100-200/re100-400/web100-300/web600 writeups
Written by Pierre Bourdon
October 01, 2012 at 00:00
This article regroups writeups for several challenges which did not deserve a full article.
When you decode the chunks of the PNG file individually only one has a CRC error. It contains text which is the key to submit.
When you decode the chunks of the PNG file individually only one text chunk has no CRC error. It contains text which is the key to submit.
Open with Wireshark, "Follow TCP Stream" and notice a password being sent to a telnet server. This is the key.
Find the POST request to a
<form>on the New York bar website. The text sent with that form contains the key.
Open the executable with IDA, notice a function that does
c XOR 0xFFon every byte of a string, locate the string, apply the xor, get the key.
Open the executable with Reflector, notice a function that does a XOR once again, reverse the operation, get the key.
A bit more complicated this time: the decryption function needs a key, and the only thing we know is that the MD5 of the key is
ff97a9fdede09eaf6e1c8ec9f6a61dd5. A Google Search tells us that this is
MD5(Intel). This is still not the final key: the program uses that to decrypt a buffer using AES. Doing the same gives us the key to submit.
Open the binary with IDA, notice a
decryptfunction that does
NOT c, locate the string, apply the NOT, get the key.
The auth is done through a cookie. Modify it (set username to admin), done.
The SQL query allows us to inject something mysqli_real_escape'd in a LIKE clause, including
_. We can use that to select multiple users and have one matching the
$authcondition (valid password, we register him) and one matching the
$admincondition (username == Administrator).
There is an SQL injection on the
horses.phppage. You can't normally use the
unionkeywords (blacklisted), but if there is an equal sign before the keyword in the request it somehow works. From there we listed the tables in
INFORMATION_SCHEMA, found a
sessionstable containing a session for the admin user, used it to get the key. This was not the way the author expected people to solve his exercise and this bug was fixed during CTF.
In PHP strcmp/strcasecmp with an array fails and returns 0. We can use that to bypass the check and get the key to be printed.blog comments powered by Disqus