This writeup describes the solution for the securelogin challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.
We have to get the flag from the website, so lets check it out:
Just a simple website. We can login with any data. But when visiting the “secret” tab, this is the result:
No access – no flag :-(. Lets check the cookies.
There is a “data” cookie. It looks like base64 so we’re going to decode it and look at its content:
ruport@zentaur:~$ echo "dXNlcm5hbWU9cnVwMHJ0LWEyZjFmY2U4ZmM5NjAxMDIwYzRhYjA5MzJjYmM1MmJkZjU3YTQzYmE4MzAyNmI4NmZmNjU2YzQzNmZkOWQ4NTk=" | base64 -d
The cookie data contains my username and a sha256 hash (which is not the hashed username :D). It must be some message authentication code (MAC). When knowing and controlling a plaintext and looking for a valid MAC, you will always have to think on hash length extension attacks.
This writeup describes the solution for the messagecenter challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.
The task was … to find the flag … as usual :D. So lets look at the website.
So we get a simple website with login fields and some information (demo login data, more username, etc.). When logging in using the “demo” account and “remember me” option we get this view:
This writeup describes the solution for the easy-shell challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.
Lets first check what the binary does when executing.
.-"; ! ;"-.
.'! : | : !`.
/\ ! : ! : ! /\
/\ | ! :|: ! | /\
( \ \ ; :!: ; / / )
( `. \ | !:|:! | / .' )
(`. \ \ \!:|:!/ / / .')
\ `.`.\ |!|! |/,'.' /
nom nom, shell> rup0rt
Some nice ascii art and data reading without output. Because this is a pwn challenge lets send much data in GDB and check the result.
nom nom, shell> AAAAAAAAAAA [300 * "A"]
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
Wow, we already got EIP control – that will literally be an easy-shell :-). Lets check where to direct the EIP into a controlled code segment.
This writeup describes the solution for the easy-math challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.
The task describes some basic arithmetics to warm up:
This file was published: easy-math.tar.gz. It is a 32bit ELF executable. Running the file shows this output:
Warmup: sh0w m3 h0w 1337 y0u 4r3> rup0rt
It reads some data and does stuff with it. I gonna try GDB to have a detailed look in the operations.
So lets set a breakpoint after the read() functions and single step (si).
(gdb) b *0x0804855d
Breakpoint 1 at 0x804855d
(gdb) display /i $eip
Starting program: /home/ruport/hackover2015/easy_math
Warmup: sh0w m3 h0w 1337 y0u 4r3> AAAABBBBCCCC
Undefined command: "CC". Try "help".
1: x/i $eip
=> 0x804855d <main+153>: add esp,0x10
We already recognize that the binary only takes 10 bytes of input because, 2 bytes of our input (CC) is already passed back to GDB. Then the program does some compares. One of them is very interesting because it checks our input data: