Jun 6, 2016 - backdoorctf16 : Mindblown

Author: aagallag

Publish Date: 2016-06-06

Category: Crypto Points: 150 Description:

Chintu has secured his flag behind a secure auth. We managed to get the authentication logic of the system. Can you help us get his flag from here (http://hack.bckdr.in:9003/). Bruteforce is not needed.
Created by: Amanpreet Singh

Investigation

Upon visiting the site, I’m greeted with a simple login page.

Right away I start trying random things in the login box to see how the page responds. I try the combo ‘admin:admin’ and the webpage throws an error message stating “Username is wrong”.

Hmm… Is this a typo or do I need to figure out the correct user to be using?

Thankfully, the challenge authors have provided a snippet of the login code. Maybe I can better understand the challenge once I’ve reviewed some of the login implementation.

var express = require('express');
var app = express();
var port = process.env.PORT || 9898;
var crypto = require('crypto');
var bodyParser = require('body-parser')
var salt = 'somestring';
var iteration = /// some number here;
var keylength = // some number here;

app.post('/login', function (req, res) {
	var username = req.body.username;
	var password = req.body.password;
	if (username !== 'chintu') {
		res.send('Username is wrong');
		return;
	}
	if (crypto.pbkdf2Sync(password, salt, iteration, keylength).toString() === hashOfPassword) {
		if (password === 'complexPasswordWhichContainsManyCharactersWithRandomSuffixeghjrjg') {
			// some logic here and return something
		} else {
			// return flag here
		}
	} else {
		res.send('Password is wrong');
	}
});

The following check tells me the username to be using.

if (username !== 'chintu')

Great, now I know to use ‘chintu’ as my username.

I try out the username, and the error changes from wrong user to wrong password. How do we login as ‘chintu’?

if (crypto.pbkdf2Sync(password, salt, iteration, keylength).toString() === hashOfPassword)

So this is how I would expect most website logins to work. It’s bad practice to store passwords in plaintext, so you use a hashing algorithm to store the password hashes instead. So when someone logs in, you calculate the hash of the password they claim is their’s and check to ensure that it matches the password hash stored in a database.

However, in this implementation, there is one additional check performed even after the password hashes match.

if (password === 'complexPasswordWhichContainsManyCharactersWithRandomSuffixeghjrjg') {
	// some logic here and return something
} else {
	// return flag here
}

Hmm, so Chintu’s password appears to be ‘complexPasswordWhichContainsManyCharactersWithRandomSuffixeghjrjg’. To verify that suspicion, I went ahead and logged into the page with it.

I was taken to a page different from the “Wrong username” and “Wrong password” pages. However, the page still does not contain the flag.

Ok, so I know I’m using the right password and generating the right hash, but how do I get it to print the flag?

We need to find a password that results in the same hash value as Chintu’s password, but it can’t be Chintu’s password.

How is that possible? Thanks to hash collisions!

Hash functions have the interesting characteristic where you can input any large amount of data and they will always generate a hash of a fixed size. This can be useful, because it means that hashes don’t contain enough information to perfectly reverse a hash value to it’s input. The downside is that there often exists multiple variations of input that all can generate the same value.

Solution

I was aware that collision attacks exist, but I’ve never implemented one. So I decided to hit Google up for some help. Specifically, I knew I would need help building a collision attack against pbkdf2Sync.

Searching “pbkdf2Sync collision” lead me to a writeup entitled PBKDF2+HMAC hash collisions explained by Mathias Bynens. He does a fantastic job of showing exactly how to create a hash collision when you know the value being hashed.

Flag

This challenge is hosted permanently at Backdoor, so go find the flag yourself!

Jun 5, 2016 - backdoorctf16 : CLUE

Author: dade

Publish Date: 2016-06-05

Category: Web Points: 200 Description:

Vampire has started recruiting hackers for his new team. To filter people, he has given a clue somehwhere here. If you think you are capable enough to join him find the flag and submit its SHA-256 hash.
Created by: Dhaval Kapil

This challenge was supposed to be eas(y|ier) but only two teams managed to solve it. b0tch_sec was team #2.

Investigation

Upon visiting the site, we’re told a flag is somewhere in this directory. Let’s see what other things are in this directory, maybe it’ll help.

My first instinct is to look for a robots.txt, which doesn’t pan out. Then I look for .htaccess, which also doesn’t pan out. Next I want to see if a .git folder is in available.

403 Forbidden. Bingo, we have a .git directory. It’s not indexable though, so we’re going to have to look for common files manually. My preferred first file to grab is always .git/logs/HEAD as it has the potential to provide a ton of information.

Once confirming we can access http://hack.bckdr.in/CLUE/.git/logs/HEAD I want to go ahead and rip the entire git directory. I originally did this by manually building a couple tools I could use to download every object, view the contents of the object, then download any objects referenced from there. But a little searching around left me with rip-git which is way more useful. Let’s go ahead and run that with the url we know to have .git.

rip-git.pl -v -u http://hack.bckdr.in/.git/

Now that we have the entirety of the git repo locally, let’s poke around at the contents, maybe the flag is in a previous revision.

After a long while of git cat-file -p $objectHash, I found a version of vampire.txt that shows us a specific time at which the flag will be available. Looking at our git log shows us that we don’t have any commits at that time, it’s in the future.

That time is Fri Jun 3 14:00:00 2016 +0530

Solution

Note: I spent an incredibly long time on figuring this out, most of my ctf time went towards this problem. I probably overengineered it a lot. Below I show only the steps I took that actually led to solving.

Using the info we see in .git/config we are able to determine that this was hosted on github. Of course if we try to git clone that url it doesn’t work, suggesting it may not exist anymore or it might have just been made private.

Knowing the author’s git username now, let’s do some snooping around on his github. Looking at all his repositories we don’t see much of interest. But hold on, he uses a gh-pages user page, which is hosted at [dhavalkapil.github.io]. Due to some recent research I was doing on github pages when trying to setup my own, I learned that a repo-page can be accessed by going to user.github.io/repo-name. Let’s try that with what we already know and see if we see anything.

Flag is somewhere in this directory

That confirms that the git repo is still on github and it was just made private. Using the information we gleaned from the repository, let’s put it all together now.

TL;DR

  1. CLUE has a .git folder that we can access specific files in
  2. One of those specific files is .git/config which tells us where the remote/origin.
  3. Vampire.txt tells us the flag will be in file 982hud0q3rhua at some time
    • A previous version of vampire.txt tells us that the flag will be in that file at a specific time.
    • That specific time is in the future from where hack.bckdr.in/CLUE is currently at.
  4. Github leaks us some information about private repos via gh-pages, provided we know enough information.
    • We need to know the repo name
    • We also need to know a specific file to probe
  5. Visit the gh-page for the repo
  6. Visit the specific page that the password should be in on that gh-page

Why it was vulnerable

It’s important to note that this particular attack worked because vampire was doing his work on the repo in the gh-pages branch, so the repo was published and we just had to find the appropriate links.

Flag

This challenge is hosted permanently at Backdoor, so go find the flag yourself!

Jun 5, 2016 - backdoorctf16 : Imagelover

Author: dade

Publish Date: 2016-06-05

Category: Web Points: 70 Description:

Find imagelover here
Created by: Amanpreet Singh

Investigation

We’re told that admin will visit our page with the flag, so we just need to submit something that we control so that we can watch the traffic come to our server.

Being the fond Hackers (1995) fan that I am, I’ll use my playground vps, gibson.zerocool.io to serve up a file that we can sniff traffic on. I’m using the gibson subdomain because I have ssl enforced on zerocool.io and wasn’t sure if tshark would be able to read the content as it came in, or if it would just show up as ssl packets.

Instead of sniffing all our traffic though, let’s get the IP address that imagelover will likely be coming from.

dig a hack.bckdr.in

Solution

From here we now have what we need to fire up tshark and listen to the traffic coming into the server.

[email protected]:/home/dade# tshark -i eth0 -x host 188.166.184.216

Now that the sniffer is running, we submit http://gibson.zerocool.io to the imagelover input.

Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'

[Packet Capture omitted. Do it yourself :)]

Flag

This challenge is hosted permanently at Backdoor, so go find the flag yourself!