VolgaCTF as a member

On April 15, the qualifying stage of the competition in the field of information security VolgaCTF-2012 was completed , in which 29 teams from various cities of the Volga Federal District participated. The teams were given 48 hours to solve problems in the areas of:

• Crypto - cryptographic tasks;
• Web - a variety of web vulnerabilities;
• Reverse engineering - reverse engineering;
• StegaSic (Steganography & Forensic) - steganography and computer crime research;
• PPC (Professional programming and coding) - various programming tasks;
• Joy - tasks for general knowledge in the field of information security;
• Blackbox Admin - network administration tasks;

I would like to share with you my impressions and write how such competitions look exactly from the side of the participant.

First of all, I express my deep gratitude to the organizers of this contest and to the admins for their chic assignments, which were not simple, but were interesting.
In this kind of competition, our team participated for the first time. The start of the competition was delayed by an hour, during which time we managed to settle down more comfortably, set up computers and adjust ourselves a little with various jokes and conversations about anything.
Admins raised the VPN server, distributed the keys to connect to the teams and the game began!

04/13/1900
The teams were given the internal and external address of the site with the tasks. We distributed tasks within the team and started working.

Level 100 by region varied greatly in complexity. Two tasks were solved immediately:
1) An html page with a large table was given. Each cell of the table contained its own color, after a small game with css, a picture of the island was obtained, transferred to JPG, downloaded to Google and found the name of the island, which turned out to be the key
2) We were sent an archive in which photos of famous pirates and hackers were stored, it was necessary to find out their full names and send them to the organizers. With the help of Google and a small work with a graphic editor quickly found.
')
13.04 19:20
The tasks to find and exploit vulnerabilities in web sites turned out to be much more interesting. The first target was a pirate blog about the ranks of the pirate fraternity. Within fifteen minutes, the opposing teams introduced code hiding the contents of some parts of the page. This gave us information about the presence of XSS vulnerabilities. Later we noticed that blogs were regularly updated, new topics were added. Although most likely the information was updated by the program (as it seemed to us) decided to try to exploit the XSS vulnerability and using standard methods to obtain a cookie of a user with administrator rights. On the sniffer raised on the Internet, only information about participants of other teams was displayed, but we did not give up. Reconfigured XSS to the IP address inside the VPN and the traffic analyzer detected an attempt to connect the administrator. The key was taken!

The tasks for cryptography, reverse, professional programming (ppc), which we immediately dubbed short and simple word “PPC”, were solved less successfully.
In the task from the field of PPC, the guys immediately recognized the reverse Polish notation . Due to the large amount of work, the handler started writing the program not immediately, it took a lot of time to develop and debug. We received the answer only the next day.
It would not have mastered the seemingly simple task on the crypto100.

04/13/20: 30
Got a classic assignment from the Joy area.

They did not begin to search for hidden meaning and encrypted archives, we decided to first try to do what they ask for in the photo. They took pictures, sent them away, earned their 200 points) However, I had to take a little photofixing - add pirate paraphernalia, but the result was excellent)
Around the same time, we solved the problem with Web200, where a link to the admin was left in robots.txt.

13.04 21:15
Unfortunately, it is not allowed to stay at the university at night, so our team was asked to vacate the premises. Full of strength and fighting spirit, we went to the apartment to continue to solve problems there.

13.04 22:30
At about this time, the first administration task was opened. A server has been made available. Open ports were more than a thousand. Began to look for clues. The request for port 1000 is always returned "P". A request for port 1001 after addressing port 1000 is always “i”. The similar situation was at 1002, 1003, etc. ports. The consecutive letters from 1000 to 1005 port gave the word "Pirat". The request for port 1000 reset the order of characters. With a large delay between calls to neighboring ports, the algorithm did not work.

The information gathering stage showed that it was necessary to write a program to search and display information on all ports of the server. A simple perl program was soon written. The result of her work was the text in English, after several tens of thousands of characters lay the key to the task.

13.04 23:45
Now I would like to tell about really interesting and original tasks from the field of web.
3 task referred to the site of the pirate bar.

A quick look at the site did not reveal any visible vulnerabilities. The eye stopped on the hidden comments in the html code.



A search on the Internet for “Pirate Browser” and the substitution in the User - Agent of all possible names did not work. But soon they discovered SQL-injection in this field. It would seem nothing complicated, but it was Insert injection. Interesting was the fact that commands like SELECT, OR, WHERE, ORDER, GROUP, AND were cut, you had to type

SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_NAME LIKE 'k%'

bring to mind

SELSELECTECT TABLE_NAME FRFROMOM infoORrmation_schema.tables WHWHEREERE TABLE_NAME LIKE 'k%'

What else was interesting is the key parameter in COOKIE, which has always been discarded.
The result of the execution was not displayed anywhere (although maybe we did not find it), it was just recorded in the database. INTO OUTFILE and other methods did not work, I had to resort to non-standard ones. The decision was postponed until the morning.

The first thing that comes to mind is to generate a script error in cases where the number of rows satisfying the subquery condition is zero. First I tried to divide the real number into COUNT (*), but in cases where COUNT (*) was zero, MySQL calmly swallowed it.
MySQL search - functions in which the required parameters of the result should not be given.
But it turned out to use the so-called timing attack. A query to search for the name of the table in which the key could have been converted to a form.

pirat'),((SELSELECTECT if(COUNT(*)!=0,BENCHMARK(100000000000,NOW()),1) FRFROMOM infoorrmation_schema.tables WHERE TABLE_NAME LIKE 'k%'))#

Roughly speaking, if there is not a single line satisfying the condition, the site opens slowly, if there is, then quickly. Slow speed of work is provided by the BENCHMARK function 10000000000 times repeating a typical operation.

At first, LIKE refused to search in the direction of SUBSTR (TABLE_NAME, 1,1)> 'a'. It was a long time to sort through one letter, so it was possible to set a range. (Note. It was possible to implement a script that automates these actions) After selecting the first few letters of the table name, I remembered the existence of the REGEXP () function, with which you can set the search with regular expressions, the selection of letters became much easier. I found similar actions, in addition to the name of the table with the flag, the name of the field with the flag and the flag itself, I had to sort out about 25 characters in total by manual binary search.
The found key was the word 'elpirata', which was not suitable as an answer to the task. But setting the key variable with this word in the COOKIE made it possible to get the key from the task.

14.04 02:00
After not the first coffee mug, the team solved the exploit search problem in the PDF file, spent more than one hour finding the key in the wav file (which was on the edge of the signal spectrum), deciphered this gif:

Which under certain conditions, the signal flags transmitted a message containing the key to the task.
In one of the tasks, which contains a lot of text in a 35 MB graphic JPEG file, they saw a fountain.
14.04 05:00
In the same task, they saw a palm tree, they understood that it was time to go to sleep ...
This is the task ...

14.04 11:00
They came to the university and started working on previously unfinished tasks.
14.04 15:00
We received an interesting task from the area of ​​WEB 400 level. To search for vulnerabilities, a couple of sites were prepared.

On the first server was a site dedicated to treasure, the second contained a web studio site. Blind SQL-injection was discovered by enumeration of input parameters, in which it was impossible to use the UNION command. By a random search of known words, the user table was found, with the fields id and user containing 1 record.

Unlike the previous assignment, the REGEXP function did not work, and we developed a script that goes through the letters in LIKE.
Final query to the database:
0 OR (SELECT user from user where user like 'adm%') LIKE '%'
Instead of the word adm in the request above, the script substituted various combinations of letters; in the case of finding a user starting with a given combination, the content was displayed on the page.
Having found the user were slightly surprised. Nick turned out to be postgres. It was logical to assume that PostgresSQL was used.
Reading the documentation for this DBMS helped us find the table replacing the table in information_schema in mysql, and with its help the field name of the user table containing the password. This password was stored in md5, after decryption, 16 character postgrespostgres were obtained. This login did not fit the site admin panel, which put it in a stupor. The DB control panel on the remote server was not found, access from the outside was closed. It was quite insulting to have a login from the database, but the impossibility of connecting to it.

They began to pick up the names of the tables and found the administrators table, which already contains the login from the site admin panel. In the admin panel we were waiting for the source code of a couple of pages of the site, access to which was necessary to get. On these pages, it was possible to read the function fread files specified in _GET if you know the address to them. There was a hidden link to the folder open for listing from the browser and not containing files.

Touched and looked through all the standard configuration folders for unix systems, tried to access .bash_history and access_log, but to no avail. Fortunately, they soon found the .htaccess file in a hidden folder. It was a rule to prohibit the display of the file with the flag in the listing directory. Loading hidden files displayed encrypted javascript code. They began to get upset that the task would be delayed, but after a minute an alert was run on the page containing the flag from the task.
All the task took 5 hours.

Having seen the task with basic authorization in web500 at the entrance to the site, we decided to postpone it.


On this day, the other team members solved interesting problems, incl. on administration with elevation of privileges, one of the tasks on cryptography and an interesting task about torrents. In each downloaded torrent, it was recursively suggested to download other torrents, after assembling all the parts, an image of Slax was obtained, it contained a key.

4.04 p.m.
Our team was in the lead, tired gone home. We decided to have a good sleep, although overnight someone did perform a number of tasks.

04/15 11:00
On the last day, only two tasks of level 5 were solved, for which the most points were given.
Both tasks were interesting, so I would like to talk about them in detail.

The web500 task, postponed yesterday, succumbed. It is noted that if you send POST data to the index.php file, the page is given.



Intuition said it just would not. There are no common vulnerabilities. The unopened picture turned out to be base64 encoded by the png of a smiling troll-face pirate. A search for similar images gave a picture of identical canvas size, but of a different size on the disk. Search for hidden information in the file did not give a result.
A little desperate, I inserted the address /index.php.bak into the address bar and got the source page code , which was rather frustrating because it was well-obfuscated.

The eyes are afraid, and the hands are doing ... Deciphered.

  function __autoload($classname) { $classpath = './inc/class/'.$classname.'.php'; if(file_exists($classpath)) include $classpath; } require_once('inc/config.php'); echo '<!DOCTYPE html><center><form method="POST"><input name="login" type="text"><input name="password" type="text"><br><input type="submit"></form></center>'; if(isset($_POST['login'],$_POST['password'])) { // TODO echo underconstruction(); } elseif(isset($_COOKIE['auth'])) { $auth = unserialize((string)$_COOKIE['auth']); if(isset($auth['login'],$auth['password'],$auth['name']) and ($auth['login'] === 'pirate') and ($auth['password'] === 'pirate1')) { echo ", {$auth['name']}!"; } else { echo "<center>  , !</center>"; } } 

The attentive reader will notice the vulnerable bunch of the string echo "Hello, {$ auth ['name']}!"; and __autoload

Soon a script was written that prepared the data to be stored in a cookie, after which unserialize the object of an unknown class was in the $ auth ['name'] variable. This caused the autoload function, and the execution of a php-injection vulnerability.

 $value=new arrayObject(); $value->offsetSet('login','pirate'); $value->offsetSet('password','pirate1'); $value->offsetSet('name',new index); $value=serialize($value); echo 'auth='.urlencode($value).';'; 

Loading the index file returned a list of files in the folder. Soon the source codes for other files with project classes were obtained.

I was pleased and gave strength to the Flag class, who said that there was still a little bit left.

 <?php class Flag { public static $flag = "FLAG"; public function getFlags() { return array(self::$flag); } } ?> 

The study of other classes revealed more vulnerabilities.
In particular, it turned out that the textbox class contains the function

  function __toString() { return $this->obj->printObj(); } 

Object contains a function

  public function printObj() { return serialize($this); } 

User contains a function

  public function __sleep() { return $this->login->{$this->password}(); } 

As a result, for the transfer to the script, a construction was made, which returned the key. (Note. In fact, the user class found an error in the name of the function __contuct () and did not work before the correction;)

 $value->offsetSet('name',new Textbox(new Object(new User(new Flag,'getFlags')))); 

All the task took 7 hours.

In parallel to us, another part of the team found a solution to the original task Joy500.
The script selected random girls from the site vk.com. Team members had to ask them to register on the site designed for the competition.
It seems to be nothing complicated

Look at the site you want to lure, we see the window:

Then this:

And the site itself:

An ominous music is playing in the background, you need to wait 333 seconds before registering. All this time, modal windows are coming out. In general, satanic saytik) It was not so easy to persuade unfamiliar girls to register.

This concludes the story of the VolgaCTF. Our team won by a good margin, got a lot of experience, got a ticket to Samara for an in-person summer tour. And we spread admins for cool T-shirts.
Team photo in response to Joy200.