RSS

Securitybyte CTF walkthrough

August 28

SecurityByte (http://securitybyte.org) is India’s largest hacking conference conducted in Bangalore. To make this event more interesting, they do arrange capture the flag events (Web & WI-FI hacking challenges). More details about the events and the rules are available at http://securitybyte.org/#!/events.

This year’s Web CTF is being powered by NII Consulting. To qualify for the main CTF event, you have to solve the pre challenge which is available to remote users. The goal of the pre challenge is to read the flag present in the flag-ctf.txt file located at http://ctf.securitybyte.org/ctf-2011/index.html. This pre-challenge is well crafted and gives a lot of learning. I have solved this puzzle in 3 hours with the help of my friend kc. I am putting this walkthrough to show the thought process we took throughout the challenge and to be a resource for people who are learning application security.

Lets begin the hack….

When I opened the site first thing that caught to my eyes is, every image in the website has a logo saying Removable logo. This made me think about steganography and felt that some clues are hidden in these images. Later used a couple of image steganography tools to find whether they’ve stored any information in the image or not. Learned a lot about the steganography but could not find any clues for this challenge .

Moved to contacts page and clicked on buttons. Though the buttons have any name, it showed contact.phps in the URL and displayed Page not found message. Looked in the view source of contacts page and found an interesting comment <!– Do you see something wrong here… –>. This comment made us to try different combinations of contact page ex:contact.php, contacts.php,contacts.phps…. . In the end nothing worked.

Looked for robots.txt file and observed a couple of interesting things.

http://ctf.securitybyte.org/ctf-2011/robots.txt

Allow: /
Disallow: /inbox

Disallow: /login

Disallow: /popular
Disallow: /recent
Disallow: /settings
Disallow: /uploads

Access to the /login/ directory displayed a login page which is vulnerable to SQL injection. Logged into the site in first attempt by typing admin as username and ‘ or 1=1— as password. Hurray we have got admin welcome page which has a textbox where we can enter any IP address and find out the traceroute. We can use Linux pipe (|) to append our commands to the IP.

127.0.0.1|pwd

Used ls command to find the files located in our main directory (ctf-2011).

|ls /usr/local/www/apache22/data/ctf-2011/

The first file in the result is named as ReadTheFlag. It appeared that we almost got the solution. Used cat command to read the file content.

|cat /usr/local/www/apache22/data/ctf-2011/ReadTheFlag

Oops…. It displayed some junk data along with an error message saying failed while decrypting the content of flag-ctf.txt file. Hmmmm…now really don’t know how to decrypt the file contents. After a little brain storming and few searches, noticed a string r34dm3 which appears interesting because this value is prepended to /root/flag-ctf.txt in the error message.

|/usr/local/www/apache22/data/ctf-2011/ReadTheFlag r34dm3

Our guess worked well. Above command displayed the decrypted content of flag-ctf.txt file. We tried to read the file for couple of times and found that it is displaying random value every time.

The value displayed on the screen is Ascii Hex encoded value.

Tango downSmile. we have read the decoded value of the flag and submitted it to the challenge. Game over !

Thanks to the securitybyte team for arranging an awesome challenge.

 

Posted by on August 28, 2011 in capture the flag events

3 Comments

Tags: , , , ,

3 responses to “Securitybyte CTF walkthrough

  1. Carlo Laulu

    October 11, 2011 at 10:34 am

    I will right away grasp your rss feed as I can not in finding your email subscription hyperlink or newsletter service. Do you’ve any? Please let me recognise in order that I could subscribe. Thanks.

     
    • Satish B

      October 12, 2011 at 11:07 pm

      Thanks for the suggestion dude. I have provided email subscriptions now.

       

Leave a Reply

Your email address will not be published. Required fields are marked *