How to get to SpongeBob's birthday party? Solving interesting problems from the CTF tournament

Readme

Exercise

Try reading file.txt.

readme.tar.gz →

readme.chal.imaginaryctf.org →

Solution

1. I follow the link and make sure it works. I open the page code.

2. There is nothing interesting in the page code – I need to look deeper. I launch dirsearch.

The server responds with a 404 error to requests for flag.txt and index.html pages. And the default.conf file with nginx settings contains the following configuration:

server {
    listen       80 default_server;
    listen  [::]:80;
    root /app/public;

    location / {
        if (-f $request_filename) {
            return 404;
        }
        proxy_pass http://localhost:8000;
    }
}

The location directive has a condition for checking the presence of a file. If the file requested in the URL exists, the server returns a 404 error. The results of the dirsearch search and this configuration confirm that both files are on the server: flag.txt, index.html. It is necessary to somehow bypass this condition – there is several options.

3. Manually or using the Intruder module in burpsuite, you can go through the proposed load options. As a result, instead of /flag.txt, you can request a page in this form:

GET /flag.txt/.

4. The server returned a clear response – the flag is in your pocket!

Journal

Exercise

Dear Diary, There is no LFI in this app.

journal-dist.zip →

journal.chal.imaginaryctf.org →

Solution

The pages contain only links to five text files. However, the URL is of greatest interest:

http://journal.chal.imaginaryctf.org/?file=file1.txt

The name of the requested file is passed in the file parameter, which could potentially be vulnerable.

1. I look at the attached configuration files. I start with index.php.

It contains the very same links to text files, as well as a certain assert function, which, together with strpos, checks for the presence of an ellipsis in the name of the requested file. This is probably how protection against cmd injection is implemented. Then the presence of the file is simply checked and the contents are returned if the condition is true.

2. According to the logic of the code, it is clear that you can try to access the flag.txt path. I am going to look at the Dockerfile.

The most interesting line in the file looks like this:

RUN mv /flag.txt /flag-’tr -dc A-Za-z0-9 < /dev/random | head -c 20’.txt

Twenty random characters are added to the file name flag.txt. The file with the flag itself is located in the root directory. So, to get to the server OS, you need to work with the function:

assert("strpos('$file', '..') === false") or die("Invalid file!");

3. Since the value passed to the file parameter is used in the strpos function without any validation, a PHP injection can be performed. It will look like this:

‘).system(“ls”);//

As a result, the line of code will look like this:

assert("strpos('‘).system(“ls”);//', '..') === false") or die("Invalid file!");

The program will ignore everything after the comment sign “//”. Before it, strpos('').system('ls') will be executed. In addition, an error should appear in the assert function, since it takes two parameters.

4. I try to apply the load:

Everything works – files in the current directory are returned.

5. I move up the file system to the root directory where the file with the flag should be located.

Indeed, the file exists. Brute-forcing the name would, of course, be a very long task.

6. I read the file and get the coveted flag!

Passwordless

Exercise

Tired of storing passwords? Don't worry! This super secure website is password-free!

app.py →

24.199.110.35:40150 →

Solution

On the task page you will see the following login form:

If you enter any name, a redirect occurs.

1. There is nothing interesting in the page code – I go to the source code. In app.py there is the following request routing script:

@app.route('/<uid>')
def user_page(uid):
    if uid != str(uuid.uuid5(leet,'admin123')):
        return f'Welcome! No flag for you :('
    else:
        return flag

The flag is given only if you follow the link:

str(uuid.uuid5(leet,'admin123'))

At the very beginning of the file, the value of the leet variable is set:

global leet=uuid.UUID('13371337-1337-1337-1337-133713371337')

2. I try to form a target link – to do this, I execute part of the code from the configuration file in IDLE:

import uuid

leet=uuid.UUID('13371337-1337-1337-1337-133713371337')

print(uuid.uuid5(leet,'admin123'))

At the output I get the following line:

3c68e6cc-15a7-59d4-823c-e7563bbb326c

3. Using the received string, I create a new link and try to access it:

http://24.199.110.35:40150/3c68e6cc-15a7-59d4-823c-e7563bbb326c

Done – server returns flag: n00bz{1337-13371337-1337-133713371337-1337}.

Holesome Birthday Party

Exercise

You've just been invited to SpongeBob's birthday party! But he's decided to test your friendship before he gives you a ticket. Can you prove yourself and earn the right to enter the party?

holesomebirthdayparty.ctf.umasscybersec.org →

Solution

SpongeBob is expecting only true friends at his birthday party – you definitely have to get to the party!

1. I follow the link and see the first task:

It looks like you need to work with the HTTP request and set the User-Agent header to “Bikini Bottom”:

User-Agent: Bikini Bottom

Excellent! The first task is completed.

2. Next, you need to change the date in the request via the Date header. I Google it – it turns out that SpongeBob's birthday is July 14. I change the date to the one I need.

Done – moving on to the next task.

3. Now Bob wants to learn French, so he asks to speak accordingly.

In the HTTP request, the language is specified in the Accept-Language header – I change it to fr:

Great, moving on.

4. The birthday boy asks to bring chocolate chip cookies. I will accommodate him and add a cookie with the required value to the HTTP request.

SpongeBob gave out a ticket to the party, but something is wrong with it…

A new value arrives in Cookie (Login=eyJsb2dnZWRpbiI6IGZhbHNlfQ==) — login in BASE-64 encoding. Burpsuite has a Decode module, I'll use it:

I change it to true and give it in the header. The final HTTP request (taking into account the previous tasks) will be as follows:

The flag has been received – the party with sad Squidward has begun!

CTF tournaments help to expand knowledge about seemingly clear functions of programming languages ​​or nginx configuration. They also allow you to work with the structure of the HTTP protocol.

Hopefully this breakdown of the tasks will help new CTF players understand how to approach the flag-hunting process. See you in the next parts!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *