HITCON CTF Quals 2015 was from 17 October 2015, 10 am to 18 October 2015, 10pm. CTFTIME Page. Most of the challenges were very tedious, and this is one of the challenges that we solved (Although we only managed to solve this after the CTF ended).
Simple
Points: 100
Category: Cryptography
Description Become admin!
http://52.69.244.164:51913
simple-01018f60e497b8180d6c92237e2b3a67.rb
md5: 4bd00c892d5e71f6d1d25d0bff2f49ec
Our solution
Given the source code of the website, we’re told to get admin. Looking at the source code provided, to be able to print the flag out, we have to get the conditon r[‘admin’] to be equal to true.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/env ruby
require 'sinatra/base'
require 'sinatra/cookies'
require 'openssl'
require 'json'
KEY = IO.binread('super-secret-key')
FLAG = IO.read('/home/simple/flag').strip
class SimpleApp < Sinatra::Base
helpers Sinatra::Cookies
get '/' do
auth = cookies[:auth]
if auth
begin
auth = auth.b
c = OpenSSL::Cipher.new('AES-128-CFB')
c.decrypt
c.key = KEY
c.iv = auth[0...16]
json = c.update(auth[16..-1]) + c.final
r = JSON.parse(json)
if r['admin'] == true
"You're admin! The flag is #{FLAG}"
else
"Hi #{r['username']}, try to get admin?"
end
rescue StandardError
'Something wrong QQ'
end
else
<<-EOS
<html><body><form action='/' method='POST'>
<input type='text' name='username'/>
<input type='password' name='password'/>
<button type='submit'>register!</button>
</form></body></html>
EOS
end
end
post '/' do
username = params['username']
password = params['password']
if username && password
data = {
username: username,
password: password,
db: 'hitcon-ctf'
}
c = OpenSSL::Cipher.new('AES-128-CFB')
c.encrypt
c.key = KEY
iv = c.random_iv
json = JSON.dump(data)
enc = c.update(json) + c.final
cookies[:auth] = iv + enc
redirect to('/')
else
'Invalid input!'
end
end
end
It seems that the IV used as well as the encrypted json is kept in the client’s cookie, and that the same cookie is used to determine if you’re an admin. (This indicates that if we can spoof the encrypted json, we can become admin)
AES-128 in CFB mode has a block size of 16 bytes.
Simply put,
Ciphertext of block #1 = E(IV, key) ^ Plaintext
Therefore, with knowledge of plaintext and ciphertext, we are able to obtain E(IV, key) and to forge for the first block of cipher text.
With a username and password of b, the Plaintext of the first block will be
{"username":"b",
and we’ll use that knowledge to obtain our E(IV, key)
This is our exploit script that forges our first block to be:
{"admin": true }
and allows us to obtain our flag!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import requests
import urllib
def main():
original_cookie = "\xE9a\x89\xEC\xC7\x7C\xBC\x15\x92\xAD\xF8\x17\xF8\x40" \
"wV\xAB524\xF2\xF5UA\xE8\x1A\x29\xD4\xCB\xFA\xF6\xB3" \
"\x95h\x2B\x0D\xF4\xB9\xC8\xDB\xF8n\xB9o\xBES\x11d\xA3" \
"9\xA3c\x3Fi\xE7\xFA\x1C\xD0\xDBk\xDD\xD2_6\x06"
original_cookie = original_cookie.encode('hex')
iv = original_cookie[0:32]
first_16_byte_block = original_cookie[32:64]
print "IV: %s" % iv
print "First Block: %s" % first_16_byte_block
#Plain text of first 16 byte block.
plaintext ='{"username":"b",'
encrypted_iv = int(plaintext.encode('hex'),16) ^ int(first_16_byte_block,16)
encrypted_iv = hex(encrypted_iv)[2:-1]
print "Encrypted IV: %s" % encrypted_iv
#The text I want to forge in the first block.
forge_text = '{"admin": true }'
print 'Encrypting payload...'
payload = int(forge_text.encode('hex'),16) ^ int(encrypted_iv,16)
payload = hex(payload)[2:-1]
payload = iv + payload
print "PAYLOAD: %s" % payload
cookie = {"auth": payload.decode("hex")}
r = requests.get("http://52.69.244.164:51913/", cookies=cookie)
print "Flag: %s" % r.text
if __name__ == "__main__":
main()
Running the script gives us:
And we have our flag: hitcon{WoW_CFB_m0dE_5o_eAsY}