[CTF(x) 2016 : WEB] Harambehub – 100 pts Writeup


Challenge description:
This website was created in honor of harambe: http://problems.ctfx.io:7003
Problem author: omegablitz

This challenge was the second in the Web category and it actually was the first time I’ve ever seen something like that. We are given with a url, which returns an empty page and two source-files written in Java for Spark Framework. Make sure you read the given source-files before you continue.

The main file, HarambeHub.java, contains two methods which are actually get() and post() routes to two different pages, as you can see below:

Reading both source files we understand the application is capable of creating a new account and to retrieve the real_name of a user if you know its username and password.

Let’s try to register a new user, using a simple Powershell code:

We results with “OK: Your username is “[Member] Megabeets””. As you can see, the text “[Member] “ has been added to the username we supplied. By reading the function that handles the registration process we understand that we can register a user with that name again and again. Executing the exact same code results with the exact same answer: “OK: Your username is “[Member] Megabeets””. Let’s try this again but this time with “[Member] Megabeets” in the username. Now we end up with an error saying: “FAILED: User with that name already exists!”.

Let’s take a look at the code that checks if a given username already exists:

As you can see, the code compares the two strings in attempt to check whether the username exists, but it uses String.matches() instead of String.equals(). The method String.matches() checks the match of a string to a regular rxpression pattern. Keep this in mind, it’s the key to solving the challenge. If false is returned, it creates a new User with the username “[Member] <username>”, just as we’ve seen before.

But what happens if we try to register a user with a regular expression as its desired username? Does it say that the username already exists? Let’s play with it a little bit and see what we get when sending “.*” as the password (“.*” is the regex pattern to anything).

As expected, we received the error: “FAILED: User with that name already exists!”.

Now let’s take a look at the function that retrieves the real_name of a given username.

This function also uses String.matches() to compare the given password with the user’s password. Let’s see it in action:

We results with: “Itay Cohen”.

Good. Now we’ll send the same request but this time with wildcard as the password.

We again results with: “Itay Cohen”.

Let’s sum up what we have understood until now:

  1. We can get the real_name of any user if we know its username.
  2. We can understand if username already exists by using regular expressions.

That’s mean that we need to run through all the possible usernames till we find the user which his password is the flag. My gut feeling tells me the username will probably start with “[Admin]”.

I’ll do a simple test to check whether indeed a user begins with “[Admin]” exists. If so, only the developer can add a user with such a username because every registered username is prepend with “[Member]”.

FAILED: User with that name already exists!”.

I wrote a simple script to automate the process. May the bruteforce be with us.


It seems like we’ve found the username. Let’s get its real_name:

And we got the flag:


megabeets_inline_logoEat Veggies.

Harambe the Gorilla was a 17-year-old Western lowland silverback gorilla who was shot and killed at the Cincinnati Zoo after a child fell into his enclosure in late May 2016. The incident was wildly criticized online by many who blamed the child’s parents for the gorilla’s untimely death.

RIP Harambe.

XOR Files With Powershell


Today I’m sharing with you one of the most simple and effective tool in my forensics-toolbox. A simple script, written in Powershell, that perform a logical exclusion, XOR, on two files and saves the result in the destination file. I used this tool several times for example  to  recover data from a broken RAID 5 or deobfuscate an obfuscated binary or image. The usage is very simple and intuitive.
You can find the full code and examples in the repository.

Have fun!


Click here for the Python version.