ASIS 2014 quals # Web – Hidden flag

Posté le by - 32 080 vues

URL: http://asis-ctf.ir/challenges/
Type: unarchiving and encoding
Solution: ASIS_b6b9244608c2fc2e869cb56067b64bb1
 

Description
no description

You have to find a hidden flag. Basicly, you will have to look carefully over the entire website. One good and easy option is to dump the packet networks from this website and search some choosen words. Of course you had to tell your browser to disable gzip/deflate encoding in order to view plain html. Then, a simple tcpdump in ASCII form with a grep will do the job:

$ tcpdump -A -s 16384 host asis-ctf.ir | grep -i 'asis_\|flag'

...
X-Flag: ASIS_b6b?244608c2?c2e869cb56?67b64?b1
...

 
It looks like an almost valid flag, taken from the response HTTP headers from the CTF website. We just have to find what are the ? stand for (164 = 65536 possibilities!).

Finding the right flag

ASIS submission board has a rather interesting functionnality, that checks the flag before sending it to asis-ctf.ir website.

<script src="/static/js/sha256.js"></script>
<script>
$(document).on('hidden.bs.modal', function (e) {
    e.preventDefault();
    $(e.target).removeData('bs.modal');
 
});
    var i=0;
 
    var result=['Please try again!', 'Try harder!', 'Your answer is not correct!', 'The submitted flag is not correct!', 'False flag!', 'Wrong answer!', 'Sorry!'];
    var final_result="Do you want to hack me?";
 
$('#flag_submission').submit(function(e){
    e.preventDefault();
    var shaObj = new jsSHA(document.forms["flag_submission"]["id_flag"].value, "TEXT");
    var hash = shaObj.getHash("SHA-256", "HEX");
    var shaObj2 = new jsSHA(hash, "TEXT");
    var hash2 = shaObj2.getHash("SHA-256", "HEX");
    if (document.forms["flag_submission"]["check"].value !== hash2) {
        if ($("#id_flag").next().length == 0){
            $('<div class="alert alert-danger" id="answer" ></div>').insertAfter('#id_flag');
        }
        if (i++>6){
            $('#answer').removeClass('alert-danger').addClass('alert');
            $('#answer').text(final_result);
        }
        else $('#answer').text(result[Math.floor(Math.random() * 7)]);
        return false;
    }
 
    $.ajax({
        type: "POST",
        url: "/challenges/22/",
        data: $('form').serialize(),
        success: function(msg){
            $("#ModalContainer").html(msg)
            $("#modal-dialog").modal('hide');
        },
        error: function(){
            alert("failure");
        }
    });
});
</script>

 
So the submitted flag gets hashed twice times using SHA-256, and the result is compared with the check form’s hidden input, which for this challenge was:

<input id="id_check" name="check" value="61e18627ead3caaf56c89140e11533491ea3cc7b405d3e4d95bba333860c0acc" type="hidden">

 
Thus, we just have to bruteforce the 4 unknown chars with this little script:

import string
from hashlib import sha256
 
check = '61e18627ead3caaf56c89140e11533491ea3cc7b405d3e4d95bba333860c0acc'
for h1 in string.hexdigits:
  for h2 in string.hexdigits:
    for h3 in string.hexdigits:
      for h4 in string.hexdigits:
        FLAG = 'ASIS_b6b'+h1+'244608c2'+h2+'c2e869cb56'+h3+'67b64'+h4+'b1'
        if sha256(sha256(FLAG).hexdigest()).hexdigest() == check:
          print 'Found flag:', FLAG
          break

Found flag: ASIS_b6b9244608c2fc2e869cb56067b64bb1

 

Un commentaire sur “ASIS 2014 quals # Web – Hidden flag

  1. Nice work and thanks for your write up.

    Do you have the solutions about the web challenge ?
    Mesa system:
    I found something on the code source of the index.php like admin1 and master.

    Hurdling

    Impenetrable:
    I found an xss vulnerability and I have test it with a stealer php cookie on my website but nothing steal. (My script work, tested on enigmagroup.org)

    Répondre

Répondre à Moss Annuler la réponse

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *