Skip to content

Instantly share code, notes, and snippets.

@Bono-iPad

Bono-iPad/writeup.md

Last active October 20, 2015 16:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Bono-iPad/533fc97f7939ccd9a1a8 to your computer and use it in GitHub Desktop.
Save Bono-iPad/533fc97f7939ccd9a1a8 to your computer and use it in GitHub Desktop.
Download ZIP
HITCON CTF 2015 Quals Simple
Raw
gistfile1.txt
import urllib
import urllib2
import cookielib
url = "http://52.69.244.164:51913/"
params = {"username" : "A"*19 + '!,!admin!:true,!' + "A"*13, "password" : "a"}
print urllib.urlencode(params)
# 1234567890123456
# {"username":"AAA
# AAAAAAAAAAAAAAAA
# !,!admin!:true,!
# AAAAAAAAAAAAA","
# password":"a","d
# b":"hitcon-ctf"}
class MyHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
# Cookie Manip Right Here
return urllib2.HTTPRedirectHandler.http_error_302(self, req, fp, code, msg, headers)
http_error_301 = http_error_303 = http_error_307 = http_error_302
while True:
cookieprocessor = urllib2.HTTPCookieProcessor()
opener = urllib2.build_opener(MyHTTPRedirectHandler, cookieprocessor)
urllib2.install_opener(opener)
response = urllib2.urlopen(url,urllib.urlencode(params))
r = response.read()
if "Something wrong QQ" in r:
continue
print r
cj = cookieprocessor.cookiejar
for a in cj:
if a.name == "auth":
auth = a.value
print auth
data = urllib.unquote_plus(auth)
print "%r" % data
print len(data)
q = '!,!admin!:true,!'
qq = '","admin":true,"'
ans = ""
for z in range(0,16):
ans = ans + chr( ord(data[z+48]) ^ ord(q[z]) ^ ord(qq[z]))
fin = data[:48] + ans + data[64:]
cookie = 'auth=' + urllib.quote_plus(fin,"")
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', cookie))
f = opener.open(url)
q = f.read()
if "flag" in q:
print q
exit(0)
# You're admin! The flag is hitcon{WoW_CFB_m0dE_5o_eAsY}
Raw
writeup.md

We were provided a ruby source file(simple-260e49e58afc505131f19cd348b435c4.rb).

According to this file, our input(username and password) would be converted to the JSON format like this( {"username":"XXX","password":"YYY","db":"hitcon-ctf"}) and encoded by AES-128-CFB. Because this cryptosystem used CFB mode (https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation) , we could modify one block’s plaintext by modifying next block’s ciphertext. “(ciphertext) xor (true plaintext) xor (fake plaintext)” gave us the modified next block. Ofcourse next block would be decoded messy, but once we quote the messy text by double-quote(“), it was treated as a part of JSON data and thanks to CFB mode, the block after the next block was decoded properly.

In our payload, we set username = "A"*19 + '!,!admin!:true,!' + "A"*13 and password = "a". All we need was changing (!) into (“) to get the “admin” JSON data (“admin”:true)! The problem was, due to the encoding problem, if some wrong charactor was included in ciphertext, not only our payload but sometimes genuine ciphertexts were not accepted by remote server. We needed some bruteforce to get a good IV which did not make ciphertext with wrong charactor. Once we got good IV and modified ciphertext was accepted by the remote server, the flag appeared promptly. (This problem was corrected by admins later in the competition: “auth = auth.b”)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment