[NeoQuest2017] 6 planet or "Too much of everything ..."
It is believed that after the fight do not wave their fists. But the first ctf NeoQuest2017 in my life showed that the paper information security differs from the practical one quite strongly and it’s impossible to take the flags straight off . Although, as it turned out, I got close to the flag in dense.
So:
We try to go see the magazine by reference and we get:
')
Once again, reread the text of the task and notice the hint:
I killed the first half of the day, thinking that the conversation was about the HTTP request fields: Accept-Charset, Accept-Encoding, Accept-Language, Accept, etc. It turned out no.
Further searches showed that the server supports HTTP / 2. And one of his innovations advertised is the prioritization of requests.
We are looking for something with which we can change the priority and find nghttp.
And this is where my enthusiasm dried up. At that moment nobody could take this flag. Having poked a couple of different values of priority at random, and not hitting the right one, I decided that I had chosen the wrong path again and moved on to the next task.
As it turned out, it was necessary to do a search for all possible values:
Enter the received flag on the site and see:
Well, this time I clearly did not have enough perseverance. But the spirit of ctf captured me. Thank you very much to the organizers for a great quest. I really look forward to continuing, and I hope that it will turn out to be more effective.
So:
“TOO MUCH TOTAL ...”
This planet resembles the tropics ... An incredible amount of diverse flora and fauna! Our backpacks were all filled and filled with samples, and the observation journals - with descriptions, but we just started exploring the planet! Looking around, we realized that it would be much more efficient to record all the information remotely immediately in the logbook . That's just the data transfer is very slow, so you need to correctly prioritize.
We try to go see the magazine by reference and we get:
')
This page is under construction Once again, reread the text of the task and notice the hint:
That's just the data transfer is very slow, so you need to correctly prioritize .
I killed the first half of the day, thinking that the conversation was about the HTTP request fields: Accept-Charset, Accept-Encoding, Accept-Language, Accept, etc. It turned out no.
Further searches showed that the server supports HTTP / 2. And one of his innovations advertised is the prioritization of requests.
We are looking for something with which we can change the priority and find nghttp.
We try
root @ kali: ~ # nghttp -p 3 -v 213.170.100.212
[0.055] Connected
The negotiated protocol: h2
[0.166] send SETTINGS frame <length = 12, flags = 0x00, stream_id = 0>
(niv = 2)
[SETTINGS_MAX_CONCURRENT_STREAMS (0x03): 100]
[SETTINGS_INITIAL_WINDOW_SIZE (0x04): 65535]
[0.167] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 3>
(dep_stream_id = 0, weight = 201 , exclusive = 0)
[0.167] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 5>
(dep_stream_id = 0, weight = 101 , exclusive = 0)
[0.168] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 7>
(dep_stream_id = 0, weight = 1 , exclusive = 0)
[0.168] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 9>
(dep_stream_id = 7, weight = 1 , exclusive = 0)
[0.169] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 11>
(dep_stream_id = 3, weight = 1 , exclusive = 0)
[0.169] send HEADERS frame <length = 38, flags = 0x25, stream_id = 13>
; END_STREAM | END_HEADERS | PRIORITY
(padlen = 0, dep_stream_id = 11, weight = 3 , exclusive = 0)
; Open new stream
: method: GET
: path: /
: scheme: https
: authority: 213.170.100.212
accept: * / *
accept-encoding: gzip, deflate
user-agent: nghttp2 / 1.18.1
[0.232] recv SETTINGS frame <length = 18, flags = 0x00, stream_id = 0>
(niv = 3)
[SETTINGS_MAX_CONCURRENT_STREAMS (0x03): 100]
[SETTINGS_INITIAL_WINDOW_SIZE (0x04): 65536]
[SETTINGS_MAX_FRAME_SIZE (0x05): 16384]
[0.233] recv WINDOW_UPDATE frame <length = 4, flags = 0x00, stream_id = 0>
(window_size_increment = 196605)
[0.233] recv SETTINGS frame <length = 0, flags = 0x01, stream_id = 0>
; ACK
(niv = 0)
[0.233] recv (stream_id = 13): status: 200
[0.234] recv (stream_id = 13) etag: "21-58a4a130-a2bf2"
[0.234] recv (stream_id = 13) last-modified: Wed, 15 Feb 2017 18:42:56 GMT
[0.234] recv (stream_id = 13) content-type: text / html
[0.234] recv (stream_id = 13) content-length: 33
[0.234] recv (stream_id = 13) accept-ranges: bytes
[0.235] recv (stream_id = 13) date: Mon, 20 Mar 2017 12:01:24 GMT
[0.235] recv (stream_id = 13) server: NQ-webserver
[0.235] recv HEADERS frame <length = 96, flags = 0x04, stream_id = 13>
; END_HEADERS
(padlen = 0)
; First response header
This page is under construction
[0.236] recv DATA frame <length = 33, flags = 0x00, stream_id = 13>
[0.236] recv DATA frame <length = 0, flags = 0x01, stream_id = 13>
; END_STREAM
[0.236] send GOAWAY frame <length = 8, flags = 0x00, stream_id = 0>
(last_stream_id = 0, error_code = NO_ERROR (0x00), opaque_data (0) = [])
[0.055] Connected
The negotiated protocol: h2
[0.166] send SETTINGS frame <length = 12, flags = 0x00, stream_id = 0>
(niv = 2)
[SETTINGS_MAX_CONCURRENT_STREAMS (0x03): 100]
[SETTINGS_INITIAL_WINDOW_SIZE (0x04): 65535]
[0.167] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 3>
(dep_stream_id = 0, weight = 201 , exclusive = 0)
[0.167] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 5>
(dep_stream_id = 0, weight = 101 , exclusive = 0)
[0.168] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 7>
(dep_stream_id = 0, weight = 1 , exclusive = 0)
[0.168] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 9>
(dep_stream_id = 7, weight = 1 , exclusive = 0)
[0.169] send PRIORITY frame <length = 5, flags = 0x00, stream_id = 11>
(dep_stream_id = 3, weight = 1 , exclusive = 0)
[0.169] send HEADERS frame <length = 38, flags = 0x25, stream_id = 13>
; END_STREAM | END_HEADERS | PRIORITY
(padlen = 0, dep_stream_id = 11, weight = 3 , exclusive = 0)
; Open new stream
: method: GET
: path: /
: scheme: https
: authority: 213.170.100.212
accept: * / *
accept-encoding: gzip, deflate
user-agent: nghttp2 / 1.18.1
[0.232] recv SETTINGS frame <length = 18, flags = 0x00, stream_id = 0>
(niv = 3)
[SETTINGS_MAX_CONCURRENT_STREAMS (0x03): 100]
[SETTINGS_INITIAL_WINDOW_SIZE (0x04): 65536]
[SETTINGS_MAX_FRAME_SIZE (0x05): 16384]
[0.233] recv WINDOW_UPDATE frame <length = 4, flags = 0x00, stream_id = 0>
(window_size_increment = 196605)
[0.233] recv SETTINGS frame <length = 0, flags = 0x01, stream_id = 0>
; ACK
(niv = 0)
[0.233] recv (stream_id = 13): status: 200
[0.234] recv (stream_id = 13) etag: "21-58a4a130-a2bf2"
[0.234] recv (stream_id = 13) last-modified: Wed, 15 Feb 2017 18:42:56 GMT
[0.234] recv (stream_id = 13) content-type: text / html
[0.234] recv (stream_id = 13) content-length: 33
[0.234] recv (stream_id = 13) accept-ranges: bytes
[0.235] recv (stream_id = 13) date: Mon, 20 Mar 2017 12:01:24 GMT
[0.235] recv (stream_id = 13) server: NQ-webserver
[0.235] recv HEADERS frame <length = 96, flags = 0x04, stream_id = 13>
; END_HEADERS
(padlen = 0)
; First response header
This page is under construction
[0.236] recv DATA frame <length = 33, flags = 0x00, stream_id = 13>
[0.236] recv DATA frame <length = 0, flags = 0x01, stream_id = 13>
; END_STREAM
[0.236] send GOAWAY frame <length = 8, flags = 0x00, stream_id = 0>
(last_stream_id = 0, error_code = NO_ERROR (0x00), opaque_data (0) = [])
And this is where my enthusiasm dried up. At that moment nobody could take this flag. Having poked a couple of different values of priority at random, and not hitting the right one, I decided that I had chosen the wrong path again and moved on to the next task.
As it turned out, it was necessary to do a search for all possible values:
!/bin/bash until [$i -eq 256] do let "i=i+1" nghttp -p $i https://213.170.100.212/ done exit 0 We get:
root @ kali: ~ # ./123
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
BB
14
7E
F9
2D
66
4D
52
18
14
0A
sixteen
AD
3F
C5
03
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
BB
14
7E
F9
2D
66
4D
52
18
14
0A
sixteen
AD
3F
C5
03
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
Enter the received flag on the site and see:
Key accepted (quest timed out)
Well, this time I clearly did not have enough perseverance. But the spirit of ctf captured me. Thank you very much to the organizers for a great quest. I really look forward to continuing, and I hope that it will turn out to be more effective.
Source: https://habr.com/ru/post/324360/
All Articles