2qnbjNix2KfZhg==: Web Exploitation

Showing posts with label Web Exploitation. Show all posts

13 November 2014

Potentially Hidden Password - 100

This Daedalus Corp. website loads images in a rather odd way... [Source Code]

It seems like a normal page, and there appears to be nothing special within its source code. I decided to view one of the images (individually) in general in hopes of finding something there.

There's nothing special about the image itself, but the URL seemed to stick out to me the most.

http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=zone1.jpg

Specifically that last part (/file_loader.php?file=zone1.jpg).

I decided to do a test to confirm my suspicions. I replaced 'zone1' in the link with 'zone2'. Sure enough, as soon as I hit 'Enter', the second image popped up. Now I knew that this file loader was getting the images from a directory somewhere... perhaps where the flag is too?

I downloaded the Source Code given at the beginning of the problem and read through it.

Seemed like simple HTML and CSS, along with a little PHP. The part that I focused on the most was the PHP code, since it contained the flag file.

Here is the PHP implemented in the source code:

       <?php  
         $config_file = fopen("/resources/config/admin_mode.config", "r");  
         if (fgets($config_file) === "true") {  
          $flag_file = fopen("/resources/secrets/flag", "r");  
          echo fgets($flag_file);  
          flose($flag_file);  
         }  
         fclose($config_file);  
            ?>

Based off what I could tell, the flag file was located within /resources/secrets/flag

So naturally, I pasted that text into the original link, so that it looked something akin to http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=resources/secrets/flag

That only led me to this page, but that doesn't mean that my efforts were unfruitful.

I've found the directory that the flag should be in! It should be located within /resources/. Since the file only looks within /resources/files, would there be a way to go up to /resources/ and into other folders rather than only look within the files folder? Yep, there is.

To account for that, I should now add ../ (a directory traversal) before what I am about to type, since it, "tells the browser to move one level back toward the root directory before looking for the path to the file," (RootsWeb). Basically, it means to go up a path/folder.

I have to add ../ since the flag is within /resources/, but it isn't within /resources/files/. It's within /resources/secrets/flag.

So now that we're within the /resources/ folder, we'll have to enter the /secrets/ folder and then from there get the flag from /flag. This part is relatively simple.

Adding secrets/flag after the ../ should do the trick since we'll be entering the /resources/secrets/flag folder (which is clearly where the flag file is located, according to the PHP).

The full link should look like: http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=../secrets/flag

As expected, going to that link should get you to this page:

The only sentence (and flag) in the page is: i_like_being_included

* Unrelated note: Potentially Hidden Password... I bet that stands for PHP, doesn't it?

09 November 2014

Delicious! - 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?

This problem requires a cookie editor extension, and the best browser to solve this problem with would be Chrome, since it has good cookie editing extensions. I installed two cookie editing extensions for Chrome: (1) EditThisCookie and (2) Cookie Inspector.

You don't have to install both extensions, or even those extensions in specific, but I still did because of reasons.

After installing the extensions, open the administrative control panel link. It says that I'm not logged in because there are too many people that are logged in.

Now's the part where the cookie editors come in. Right-click and press 'Inspect Element'. Click on the 'EditThisCookie' pane. There should be 9 columns, and under the 'Value' column it should have the number 67.

Click on it and enter any number. When you're finished, refresh the page and keep entering different numbers until you reach this page:

The number I put in was '21'. The flag is session_cookies_are_the_most_delicious

Toaster Control - 50

Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...

When opening the link and clicking on one of the buttons, I noticed how the page's URL looked like.

For example, clicking on 'Blink Lights', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Blink Lights
When clicking on 'Patrol Mode', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Patrol Mode
When clicking on 'Make Toast', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Make Toast

There is a pattern in that each of the URLs start with http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=, and would end with the name of the button you were clicking.

So, since I wanted to activate the 'Shutdown & Turn Off' Command, you'd assume that the link would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown & Turn Off

But that would only bring me to this page:

But then how would I be able to go to the page? URL encoding, that's how. The problem actually lies in the ampersand ('&'), since it's not a URL-safe character. So by converting Shutdown & Turn Off to a URL-safe string, I'd be able to view the page.

I Google'd 'text to url' and found several text to URL converters. I used QuickEncoder, and pasted Shutdown & Turn Off into the box, then pressed 'Encode'

I copied the URL-safe string (Shutdown+%26+Turn+Off) and pasted it into the base URL (http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=) so that it looked like http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown+%26+Turn+Off

I pressed 'Enter' and the following page appeared:

The shutdown code, and flag, is blatantly displayed as flag_c49bdkeekr5zqgvc20vc

Javascrypt - 40

Tyrin Robotics Lab uses a special web site to encode their secret messages. Can you determine the value of the secret key?

This question is simple; basic knowledge of Javascript is required. Upon clicking the link, the site you are brought has an 'Input Message' and 'Output Message' box, along with an 'Encode' button. An example of the encryption done with the site is as follows:

Once again, 'View Source' is necessary. Right-click and press 'View Page Source' to, well, view the page's source. Immediately, at the bottom, is the Javascript for generating the key used to encode the message.

It should look something this:

       var key; // Global variable.
       // Since the key is generated when the page
       // is loaded, no one will be able to steal it
       // by looking at the source! This must be secure!
       function generateKey() {
         var i = 1;
         var x = 295;
         var n = 5493;
         while (i <= 25) {
           x = (x * i) % n;
           i++;
         }
         key = "flag_" + Math.abs(x);
       }
       generateKey();
       // Encode the message using the 'key'
       function encode() {
         var input = $("#inputmessage").val();
         var output = CryptoJS.AES.encrypt(input, key);
         $("#outputmessage").val(output);
       }

It is now clear that the key is the flag, and they're Strings starting with "flag_" and ending with the absolute value of one of the vars, x.

To find the flag, I converted the code to Java (since I am most comfortable with Java):

 public class Javascrypt {  
      public static void main(String[] args) {  
       int i = 1;  
       int x = 295;  
       int n = 5493;  
       while (i <= 25) {  
         x = (x * i) % n;  
         i++;  
       }  
       System.out.println("flag_" + Math.abs(x));  
      }  
 }

I then ran it using Eclipse:

The flag is outputted as flag_3003

Internet Inspection - 30

This is where the questions actually require a little bit of CSS and HTML knowledge. You should be able to read CSS and HTML and understand the syntax. The question asks

On his computer, your father left open a browser with the Thyrin Lab Website. Can you find the hidden access code?

When one clicks on the link, a page with a checkered rectangle appears.

It seems as though the flag is behind the checkered box... how would one be able to remove the checkers on the image and edit the webpage? 'Inspect Element' is the answer!

Hover the mouse over the box, right-click, then select 'Inspect Element'. It should now look something like this, depending on your browser:

When I'm looking through the code, I see a div id named "checkers". Perhaps that's what's blocking the table. I double click on it, and see that its style attribute contains a background image property, along with width, height, overflow, etc. properties as well.

That background image must be the checkers causing the table to be blocked, so I highlight url("/problem-static/web/internet-inspection/checkers.png") and replace it with none.

Immediately, the checkers disappear and the page now looks like this

The flag is flag_307ba6279287ba746b5a3a964a712f9343a27eb6

An alternate way to find the flag would be to 'Inspect Element', and browse through the divs to find where the flag lies, and copy it (CTRL + C or ⌘ + C). Its path would be:

html → body → div.row → table#content-table.rounded → tbody → tr#contents → td

No Comment - 20

This is yet another simple question that requires little to no knowledge in Programming... the question is:

The CD you find has a copy of your father's website: homepage.html. Maybe something is hidden in the site...

When you open the webpage, you are greeted with this:

It seems like a normal page, and there doesn't seem to be any flag hidden on the website that you can see, but one of the basic, first rules of CTFs are to always check the page source, since the HTML, CSS, Javascript, etc. codes are always there, and there might be other clues hidden around there, too.

To view the page source, simply Right-Click your mouse and select 'View Page Source' (or something akin to that depending on your Browser)

When I viewed the page source, everything seemed normal until...

That green text. It's not visible on the web page because it is an HTML comment. Anyway, the flag is blatantly given (flag_3072fa4381f859636409532fdd70eaace3078420). Just copy it, paste it into the answers box, and there's another 20 points!

About

I'm just a girl who likes everything related to computers, programming, statistics, and gaming. HTML and CSS were the first markup languages I've learned, back when I was in Middle School. Ever since then, I knew I wanted to have a job in the technology industry (specifically something pertaining to computer science and statistics, such as AI, Machine Learning, Data Science, Software Development, Cryptography, etc.).
I am proficient in Java, Microsoft Excel, R, HTML, and CSS and I know a bit of and am able to read Python, C, PHP, and Javascript.
Real-life languages I know include both English and Dutch, while I am able to read and write in the Arabic script and Devanagari script.
I'm still expanding my horizons, and I hope I'll be one of the people to revolutionise software, technology, and electronics.