A few days ago, we received an invitation to the BlitzCTF001, a very short and fast cybersecurity CTF. The challenges contained in this CTF covers: Crypto (Encoding), SQLi, Broken Access Control, Session Manipulation and Steganography.
In our opinion, the challenges are interesting and entertaining, especially to learn about web application security, so we decided to share the solutions (just in case that you got stuck in some level), hope you like and enjoy them as we did.
Figure 1. Content of "README" and "challenge1.txt" files
After some attempts with various combinatios we bypassed the login form, just have to set both, the username and the password to an expression that always evaluate to true like " OR 1=1# and we're done with this level.
As we can see, the value for the userRole is just "user", so let's change it to "admin" in order to become Administrators, and then, refresh the page!!
We found nothing in here, but wait, there is a strange message that says: "Nothing here. Check in the back", what is "the back" exactly?, maybe is referring to the background image, we realized that it is a really heavy image on Level 02, but at that moment we didn't pay attention to it, so maybe it is related with this level, let's have a look at the CSS code.
Now, we proceed to download the image using wget, at this moment we can see the actual size of the image (1,3MB), pretty big for just a simple background, so we are going to check if the file has embedded hidden strings inside of it, this can be done with the string command.
All we have to do, is copy that flag and put it in the main page of the Level 04.
And, as we can see, it was correct, we have finished the Blitz CTF 001 [CTF365]!! =D
This was a nice CTF, we really have fun solving it, just it was a bit short, also it is important to consider that the instructions were a pretty great hidden clue in their own way. Because they listed the types of challenges and it matches with the order of the levels almost perfectly.
In our opinion, the challenges are interesting and entertaining, especially to learn about web application security, so we decided to share the solutions (just in case that you got stuck in some level), hope you like and enjoy them as we did.
Level 01
After signing in into your personal account, the first screen shown looks like a standard GNU/Linux shell. After trying some basic commands we can see that there are 2 files:README and challenge1.txt, in the figure below we can see the content of both files.
Figure 1. Content of "README" and "challenge1.txt" files
The content of the file challenge1.txt looks like and hex-encoded string, but before trying to decode it, we proceed to check the source code of the "shell" to look for any hints. At this point we realize that it's nothing close to a shell, because it has the print statements for each command, and there are only 17 cases for the commands available.
After checking this, we can assume that this "shell" can't accept our flag because of its obvious limitations, so it has to be another URL that may be encoded on the the hex-encoded string, so let's try to convert it to normal text.
Initial hex-encoded string:
3364203435203664203561203638203465203534203464203330203535203537203561203737203539203537203466203638203331203639203539203739203431203434203466203734203633203534203561203738203435203534203463203331203535203664203539203662203331203433203464203739203539203434203464203332203435203664203464203330203338203433203634203663203461203333203539203663203465203333203463203734203339203332203539203735203535203661203465203761203539203437203634203661203335203639203635203330203663203437203632203639203339203739203463203336203431203438203634203330203638203437203439203736203532203438203439203736203634203435203439203638203464203438203634203638203461203333203561203735203339203332203531
We are going to use xxd and echo with a pipe in a bash shell to get the result:
The result of decoding the hex-encoded string is another hex-encoded string, so we repeat the same process again:
The result (another hex-encoded string):
3d456d5a684e544d3055575a7759574f683169597941444f7463545a7845544c31556d596b31434d7959444d32456d4d303843646c4a33596c4e334c7439325975556a4e7a5947646a356965306c47626939794c36414864306847497652484976644549684d4864684a335a75393251
Now, we get something similar to a Base 64 encoded string, but if we try to decode it right now, we are going to get an invalid result, because it's reversed, so let's flip it around. For these part of the solution, we are going to use python (reversing and decoding the string), for decoding it, we'll use the base64 module.
The string that appears to be a Base64 encoded string:
=EmZhNTM0UWZwYWOh1iYyADOtcTZxETL1UmYk1CMyYDM2EmM08CdlJ3YlN3Lt92YuUjNzYGdj5ie0lGbi9yL6AHd0hGIvRHIvdEIhMHdhJ3Zu92Q
Finally!, we got the Flag, It's a secret URL, let's open it to confirm our success:
http://blitz.ctf365.com/secret/42a60620-dbe5-11e7-802b-a9f0ee413afa
Yaaay!, now let's continue, by pressing the "next challenge >" button.
Figure 2. Source code of the "Shell", here we can see the print statements for each command
After checking this, we can assume that this "shell" can't accept our flag because of its obvious limitations, so it has to be another URL that may be encoded on the the hex-encoded string, so let's try to convert it to normal text.
Initial hex-encoded string:
3364203435203664203561203638203465203534203464203330203535203537203561203737203539203537203466203638203331203639203539203739203431203434203466203734203633203534203561203738203435203534203463203331203535203664203539203662203331203433203464203739203539203434203464203332203435203664203464203330203338203433203634203663203461203333203539203663203465203333203463203734203339203332203539203735203535203661203465203761203539203437203634203661203335203639203635203330203663203437203632203639203339203739203463203336203431203438203634203330203638203437203439203736203532203438203439203736203634203435203439203638203464203438203634203638203461203333203561203735203339203332203531
We are going to use xxd and echo with a pipe in a bash shell to get the result:
Figure 3. Decoding the initial hex-encoded string
The result of decoding the hex-encoded string is another hex-encoded string, so we repeat the same process again:
The result (another hex-encoded string):
3d456d5a684e544d3055575a7759574f683169597941444f7463545a7845544c31556d596b31434d7959444d32456d4d303843646c4a33596c4e334c7439325975556a4e7a5947646a356965306c47626939794c36414864306847497652484976644549684d4864684a335a75393251
Figure 4. Decoding the 2nd hex-encoded string
Now, we get something similar to a Base 64 encoded string, but if we try to decode it right now, we are going to get an invalid result, because it's reversed, so let's flip it around. For these part of the solution, we are going to use python (reversing and decoding the string), for decoding it, we'll use the base64 module.
The string that appears to be a Base64 encoded string:
=EmZhNTM0UWZwYWOh1iYyADOtcTZxETL1UmYk1CMyYDM2EmM08CdlJ3YlN3Lt92YuUjNzYGdj5ie0lGbi9yL6AHd0hGIvRHIvdEIhMHdhJ3Zu92Q
Figure 5. Reversing the last string and decoding it
Finally!, we got the Flag, It's a secret URL, let's open it to confirm our success:
http://blitz.ctf365.com/secret/42a60620-dbe5-11e7-802b-a9f0ee413afa
Figure 6. Success on Level 01
Yaaay!, now let's continue, by pressing the "next challenge >" button.
Level 02
The 2nd level receives us with a Login Form, after checking the source code we found nothing, so let's to try one of the most common vulnerabilities in web apps (from OWASP TOP 10): SQL Injection.
Figure 7. Login form for the 2nd level, let's try SQLi attacks
Figure 8. Source code of Level 02 login page
After some attempts with various combinatios we bypassed the login form, just have to set both, the username and the password to an expression that always evaluate to true like " OR 1=1# and we're done with this level.
Figure 9. Correct combination for bypassing the Login form
Figure 10. Success on Level 02
Level 03
The 3rd level receives us with a message that says: "You’re not authorized to access this page. Are you an admin?", there is no login form to fill, so we can assume that this level is related with Cookie Manipulation, let's have a look at our cookies.
Figure 11. Checking the Cookies and its values
As we can see, the value for the userRole is just "user", so let's change it to "admin" in order to become Administrators, and then, refresh the page!!
Figure 12. Success on Level 03
Level 04
The 4th and last level starts with a form where you're supposed to enter the flag, there are some messages but they are not related with the solution, so let's check the source code.
Figure 13. The welcome page for the Level 04
Figure 14. Source code of Level 04 main page
We found nothing in here, but wait, there is a strange message that says: "Nothing here. Check in the back", what is "the back" exactly?, maybe is referring to the background image, we realized that it is a really heavy image on Level 02, but at that moment we didn't pay attention to it, so maybe it is related with this level, let's have a look at the CSS code.
Figure 15. The image to be downloaded is highlighted in the CSS code
Now, we proceed to download the image using wget, at this moment we can see the actual size of the image (1,3MB), pretty big for just a simple background, so we are going to check if the file has embedded hidden strings inside of it, this can be done with the string command.
Figure 16. Downloading the image with wget and checking its size
Figure 17. Getting hidden strings on the background image with the string command (Steganography)
Figure 17. Getting hidden strings on the background image with the string command (Steganography)
All we have to do, is copy that flag and put it in the main page of the Level 04.
Figure 18. Entering the flag into the Level 04 main page
And, as we can see, it was correct, we have finished the Blitz CTF 001 [CTF365]!! =D
Figure 19. Success on Level 04
This was a nice CTF, we really have fun solving it, just it was a bit short, also it is important to consider that the instructions were a pretty great hidden clue in their own way. Because they listed the types of challenges and it matches with the order of the levels almost perfectly.
A collection of easy challenges that covers:Thanks to the organizers of this game, hope there will be a next release of Blitz CTF soon.
1. Crypto,
2. SQLi,
3. Broken Access Control,
4. Cookie Manipulation and
5. Stegano.
0 comentarios:
Post a Comment