# ASIS CTF Finals 2015 - Ultra Compression (Web 125)

ASIS CTF 2015 Finals just took place over the weekend of 10,11 October 2015. The finals is open to all, however only qualified teams will be allowed to win the prizes. NUS Greyhats took part in it and solved a few challenges, this is our write-up for some of the challenges from ASIS CTF 2015 Finals.

# ultra compression

Points:125 Category: Web

Go there and find the flag.

# Our solution

Here we were told to go to a webpage to find the flag. Going to the webpage shows an ultra compression service with the ability to upload files.

First thing to do is to upload a legitimate file! I chose a random image file on my machine to upload.

By viewing all embeded javascript, we can tell that the file is sent using ajax to the uploader php script.

The uploader php script is located at ‘ajax_php_file.php’. However, it seems that the file uploaded is not stored on the server.

Using the Chrome browser’s developer tool, we can inspect the response of the ajax call.

As you can see, the filename Screen Shot 2015-10-11 at 00.40.02.png gets encrypted to ow.nnm oOsV G1ig-i1-ii cV 11Jh1J1GJ5my

Following this finding, we can attempt to map every possible plaintext to their corresponding ciphertext, this gives us the mapping of:

crypt = "YLyA83tfONHDInmSc7JCb64PBxQaZTRu.viMWj9lhzgwGdeqEV25Kos1Fkp0/Xr" plain = ".0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"

Attempting to insert a semi-colon into the filename shows that the field was injectable.

Using a python script to automatically map payload back to their corresponding plaintext, we can then inject commands to the website.

Traversing to /home/asis/, we can then do a ls to see that the flag.txt is kept there. Finally, using a cat command, we can obtain the flag!

And we have our flag: ASIS{72a126946e40f67a04d926dd4786ff15}