Sunday, December 18, 2016

WhiteHat Grandprix 2016


This is probably the worst CTF I've played. Server was always overloading (probably DDoS'ed and/or pwned). Also the anti-bruteforce mechanism made sure that you couldn't login when someone else was brute-forcing your account (It's very possible that the hackers already got access to your profile data - hope you didn't use the CTF password anywhere else). There were other problems, but they don't bother me anymore.

Below are some write-ups if you're interested. I don't quite remember the names and because some teams were able to submit flags after the contest ended they took everything down.

Web 100: Bánh bột lọc

If you look at the source you'll see the backed-up page. From there, you need to find a pair of username/password that meets the condition: $username.'1337' = md5($password). Some coding and the job is done (probably Linux experts can do faster than me).

The ones I used were 234417335475b7eb761e5f8accae1337 - huna12

Web 100: Bánh căn

For some stupid reason the page allows you to execute arbitrary php functions using get query. However, many important functions are blacklisted (from the hint). In the end, this query did the job: ?assert=require('php://filter/convert.base64-encode/resource=index.php')

Crypto 100
This is basically a substitution cipher. You lookup the characters corresponding to your numbers using the table. For some numbers that are multiplication of 2 other numbers, use them as row/column indices.

I solved this one by replacing the high-frequency numbers with characters and used SCBSolvr to do the rest.

Crypto 300

The key is generated from a 8-byte seed so it has a very big weakness: it's repeating after every 72 bytes. Using known plain-text attack you can recover the key and decrypt the text.

Reverse 100: Nem rán

After decompiling you get the python code. It's basically ROR so just ROL and it's done. Because it's rotation, you can quickly define ROL as ROR(bitsize - shifted_bits)

Forensics 100: Bánh giầy

Using Wireshark you can recover the secret file, which is a zip archive. Crack the zip using brute-force attack (password is 4-char long) and you'll get the flag.

Misc 100: Bánh đa kê

The flags are hidden in 32 files among 10000 folders. The server allows you to execute some Linux commands, and of course some important commands are blacklisted. In the end, the command I used was egrep -r '.' . | sort

2 comments:

Anonymous said...

web 100 can solved with md5 collision

Anonymous said...

web 100 can also be solved by the fact that PHP's `==` has a weaknesses that '1e10' == '1e99' returns true. so we only need to find md5 that started with 1e.. and comparison will return true. try "username=0e10013219923568742193037542&password=NOOPCJF"