Hackover CTF 2015 – securelogin

This writeup describes the solution for the securelogin challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.

Hackover CTF 2015 - securelogin - task description

We have to get the flag from the website, so lets check it out:

Hackover CTF 2015 - securelogin - website view

Just a simple website. We can login with any data. But when visiting the “secret” tab, this is the result:

Hackover CTF 2015 - securelogin - login view

No access – no flag :-(. Lets check the cookies.

Hackover CTF 2015 - securelogin - cookie data

There is a “data” cookie. It looks like base64 so we’re going to decode it and look at its content:

ruport@zentaur:~$ echo "dXNlcm5hbWU9cnVwMHJ0LWEyZjFmY2U4ZmM5NjAxMDIwYzRhYjA5MzJjYmM1MmJkZjU3YTQzYmE4MzAyNmI4NmZmNjU2YzQzNmZkOWQ4NTk=" | base64 -d
username=rup0rt-a2f1fce8fc9601020c4ab0932cbc52bdf57a43ba83026b86ff656c436fd9d859

The cookie data contains my username and a sha256 hash (which is not the hashed username :D). It must be some message authentication code (MAC). When knowing and controlling a plaintext and looking for a valid MAC, you will always have to think on hash length extension attacks.
Continue reading

Hackover CTF 2015 – messagecenter

This writeup describes the solution for the messagecenter challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.

Hackover CTF 2015 - Messagecenter - Task description

The task was … to find the flag …  as usual :D. So lets look at the website.

Hackover CTF 2015 - Messagecenter - Website

So we get a simple website with login fields and some information (demo login data, more username, etc.). When logging in using the “demo” account and “remember me” option we get this view:
Continue reading

Hackover CTF 2015 – easy-shell

This writeup describes the solution for the easy-shell challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.

Hackover CTF 2015 - easy-shell - Task description

Lets first check what the binary does when executing.

ruport@zentaur:~/hackover2015$ ./easy_shell

        .-"; ! ;"-.
      .'!  : | :  !`.
     /\  ! : ! : !  /\
    /\ |  ! :|: !  | /\
   (  \ \ ; :!: ; / /  )
  ( `. \ | !:|:! | / .' )
  (`. \ \ \!:|:!/ / / .')
   \ `.`.\ |!|! |/,'.' /
    `._`.\\\!!!// .'_.'
       `.`.\\|//.'.'
        |`._`n'_.'| 
        "----^----">>

nom nom, shell> rup0rt

Some nice ascii art and data reading without output. Because this is a pwn challenge lets send much data in GDB and check the result.

nom nom, shell> AAAAAAAAAAA [300 * "A"]

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

Wow, we already got EIP control – that will literally be an easy-shell :-). Lets check where to direct the EIP into a controlled code segment.
Continue reading

Hackover CTF 2015 – easy-math

This writeup describes the solution for the easy-math challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.

The task describes some basic arithmetics to warm up:

Hackover CTF 2015 - easy-math - task description

This file was published: easy-math.tar.gz. It is a 32bit ELF executable. Running the file shows this output:

ruport@zentaur:~/hackover2015$ ./easy_math
Warmup: sh0w m3 h0w 1337 y0u 4r3> rup0rt

It reads some data and does stuff with it. I gonna try GDB to have a detailed look in the operations.
So lets set a breakpoint after the read() functions and single step (si).

(gdb) b *0x0804855d
Breakpoint 1 at 0x804855d
(gdb) display /i $eip
(gdb) run
Starting program: /home/ruport/hackover2015/easy_math 
Warmup: sh0w m3 h0w 1337 y0u 4r3> AAAABBBBCCCC

(gdb) CC
Undefined command: "CC". Try "help".
1: x/i $eip
=> 0x804855d <main+153>:	add    esp,0x10

We already recognize that the binary only takes 10 bytes of input because, 2 bytes of our input (CC) is already passed back to GDB. Then the program does some compares. One of them is very interesting because it checks our input data:
Continue reading