[TWCTF-2016: Web] Global Page Writeup

Standard

Challenge description: 
Welcome to TokyoWesterns’ CTF!


As I entered the challenge I faced a three items list – two links and a strikethrough word:.

I clicked the tokyo link, which was actually a GET request with a parameter named page in index.php. In response I got a page with PHP error and information from Wikipedia about Tokyo, printed in Hebrew – my mother tongue.

Warning: include(tokyo/en-US.php): failed to open stream: No such file or directory in /var/www/globalpage/index.php on line 41
Warning: include(): Failed opening ‘tokyo/en-US.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/globalpage/index.php on line 41

First thing to come in mind is a LFI attack, but before making any reckless time-wasting moves, let’s first figure it all out. The page uses include() to, well, include the page “en-US.php” from folder named tokyo. The page wasn’t existed so an error was thrown. I tried pages like “en.php”, “he.php” and “jp.php” and they did exist. The page “ctf” displayed similar behaviors. Seems like all the pages display their information based on the user’s or the browser’s language.

The second thing I tested was the page’s reactions to different values. I tried the value “?page=flag” and it returned the expected error:

Warning: include(flag/en-US.php): failed to open stream: No such file or directory in /var/www/globalpage/index.php on line 41
Warning: include(): Failed opening ‘flag/en-US.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/globalpage/index.php on line 41
Warning: include(flag/en.php): failed to open stream: No such file or directory in /var/www/globalpage/index.php on line 41
Warning: include(): Failed opening ‘flag/en.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/globalpage/index.php on line 41

I then understood the page was trying to include the language file and every value that I’ll set to “page” will be a folder. I tested the page with the value “../../../etc/passwd” with and without a null-byte terminator but failed due to the sanitize of dots and slashes the page performs.

But how does the page know my language? It took me a while to figure it out. The page took my language settings from the “Accept-Language” field in the request’s header. I tried to change Accept-Language to something else using a Firefox plugin called Tamper Data and it worked! Any value I’ll put there will change the requested page. For example if I request “?page=Mega” and set Accept-Language to “beets” it would return the errors:

Warning: include(Mega/beets.php): failed to open stream: No such file or directory in /var/www/globalpage/index.php on line 41
Warning: include(): Failed opening ‘Mega/beets.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/globalpage/index.php on line 41

I combined it all together to perform a well known LFI attack using php://filter. I set the parameter value to “php:” and the Accept-Language field to “/filter/convert.base64-encode/resource=index”. This function encodes the page with Base64 before including it. And indeed I got “index.php” encoded with base64. The decoded page looks like this:

As you can see on the top of the code there is an included page named “flag.php”. I changed the Accept-Language accordingly to “/filter/convert.base64-encode/resource=flag” and received the encoded page. Decode it to reveal the flag:

TWCTF{I_found_simple_LFI}

By the way, you can also solve it the “Curl” way:

 

megabeets_inline_logoEat Veggies.

[TWCTF-2016: Crypto] Twin Primes Writeup

Standard

Challenge description:
Decrypt it.
twin-primes.7z


We have 4 files in the archive:

  • encrypt.py – A Python script uses RSA algorithm to encrypt the flag
  • encryped – The encrypted message
  • key 1 – n, and e of one of the keys used in the encryption process
  • key 2 – n, and e of the other key used in the encryption process

Are you ready for your math lesson? Here we go.
After reading encrypt.py we know that:

  • n1 = p*q
  • n2 (p+2)(q+2)
  • p and q are twin primesi.e p is prime and p+is also prime; similar for q.

Now let’s turn the equation into an equation with one unknown and then solve it for the unknown.We can Isolate q to be twin-primes_1  and substitute q in the other equation. Now we have an equation in one unknown:twin-primes_2

Solve the equation and you’ll get: twin-primes_3

We need to solve this quadratic equation in order to find p and q. After that it will not be a problem to find the d’s and build the keys.
The rest is in the script:

 

[TWCTF-2016: PPC] Make a Palindrome! Writeup

Standard

Challenge description:

Your task is to make a palindrome string by rearranging and concatenating given words.

You have to connect to ppc1.chal.ctf.westerns.tokyo:31111(TCP) to answer the problem.

  • Time limit is 3 minutes.
  • The maximum number of words is 10.
  • There are 30 cases. You can get flag 1 on case 1. You can get flag 2 on case 30.
  • samples.7z Server connection examples.

This challenge was pretty simple. I used the given “example.py”  and added the following function to it:

Then I called it using the original script structure:

And the server returned the flag:
TWCTF{Hiyokko_Tsuppari}

The full script can be found here.

[TWCTF-2016: Web] Rescue Data 1: deadnas Writeup

Standard

Challenge description:

Today, our 3-disk NAS has failed. Please recover flag.
deadnas.7z


We are given an archive containing 3 files:

3 Disk NAS and one has failed? This challenge is obviously about RAID 5. I was asked to find a way to recover the failed disk and there is no simpler way than just XOR disk0 with disk2 and recreate the original disk1. If you are right now in your “WTF?!” mode you better go read about RAID 5 until you understand how it works.

I used simple software called XorFiles.

XorFiles

I then used OSForensics to rebuild the RAID:

OSForensics

Mounted the output file:

OSForensics2

And accessed the new drive. The flag and a cute cat was waiting for me there.

GlobalPage_Flag

* I know you tried using mdadm and ReclaiMe. Poor you.