Information#
Version#
By | Version | Comment |
---|---|---|
noraj | 1.0 | Creation |
CTF#
- Name : Pragyan CTF 2018
- Website : ctf.pragyan.org
- Type : Online
- Format : Jeopardy
- CTF Time : link
Like last year, a lot of guessing in Pragyan CTF.
150 - Authenticate your way to admin - Web#
Owen had created an authentication system which lets users login with their email-id or their team name. But that’s not fun is it? Logging in as the admin beats it all, so there’s your challenge.
The portal is running at 128.199.224.175:23000
Note: Use your Pragyan CTF credentials to login to the web portal.
login.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
session_start();
require "helpers.php";
$type = $_POST['id_type'];
$identifier = $_POST['identifier'];
$password = $_POST['password'];
$_SESSION['id'] = $identifier;
if($type === 'team_name') {
$team_name = $identifier;
$_SESSION['id_type'] = 'team_name';
if(verify_teamname_password($team_name, $password) === true) {
$_SESSION['logged_in'] = true;
redirect('/homepage.php');
}
else {
die("Invalid Team Name-Password combination !!");
}
}
elseif ($type === 'email') {
$email = $identifier;
$_SESSION['id_type'] = 'email';
if(verify_email_password($email, $password) === true) {
$_SESSION['logged_in'] = true;
redirect('/homepage.php');
}
else {
die("Invalid Email-Password combination !!");
}
}homepage.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
session_start();
require "helpers.php";
if(! check_login())
redirect($LOGIN_URL);
$id_type = $_SESSION['id_type'];
$id = $_SESSION['id'];
<!DOCTYPE html>
<html>
<head>
<title>Homepage</title>
</head>
<body style='background-color: #d6eaf8'>
<p style="float: right">
<a href='/logout.php'> Logout </a>
</p>
<p style="clear: both"></p>
<p style='height:30px; width:100%;'> </p>
<center>
<h2> Welcome User !! </h2>
<br><br>
<h3>
if($id_type === 'email') {
echo "Email :- ".$id;
}
elseif ($id_type === 'team_name')
{
echo "Team Name :- ".$id ;
}
</h3>
<br><br>
<h4>
Here's a random funny saying for you :) <br>
</h4>
<br><br>
<?php
require "sayings.php";
printf(get_random_saying());
echo "<br><br>";
if($id === 'admin' && $id_type === 'team_name')
printf(output_flag());
?>
</center>
</body>
</html>
We can see in login.php
that we need to login as admin
and with the team_name
mode: if($id === 'admin' && $id_type === 'team_name')
, but we don't have the password and we can't bypass it.
So let's login with our team credentials:
1 | POST /login.php HTTP/1.1 |
So now examining login.php
we can read the following code:
1 | if($type === 'team_name') { |
Now we have a valid session created on server side thanks to $_SESSION['logged_in'] = true;
and we are then redirected to homepage.php
.
We can see our homepage like this:
Now let's use Burp Suite to replay the modified login request to match the required conditions to get the flag:
1 | POST /login.php HTTP/1.1 |
We still have our nj8pe045eg0sr6r2ef4r5ch0r6
valid session but the last POST sent to the server has set $id === 'admin'
.
Now we have just to refresh homepage.php
and grab the flag: pctf{4u1h3ntic4Ti0n.4nd~4u1horiz4ti0n_diff3r}
.
100 - Quick Response - Forensics#
Tony had created a QR code for a specific purpose, and sent to his friend Rhody for deployment but when deployed, the QR code wasn’t working as it was supposed to. Figure out what’s wrong and help fix the problem.
If we take a look at the QR code structure, we can see that the positioning squares are undersized and that the alignment square is not completly closed.
Now let's open the QR code in GIMP.
In the Display menu we will allow some features: Show Grid and Snap to Grid.
Now we need to configure the grid to be the same size as the QR code pixels.
So we can easily copy and paste some pixels to complete the squares and get a valid QR code:
Scanning the previous QR code we get this message:
The flag is:
pctf{r3p4ir1nG~Qr_1s-my_h0bBy}
50 - Assemble your way to the flag - Reverse#
My friend was trying out assembly for the first time, he has no clue what he's doing, help him out and procure your reward in the form of a flag :)
I fired the awesome radare2, analysed the binary, displayed symbols, and show the assembly of the main function.
Then I saw there were two char xored each time, so I xored them.
All of that can be watched following the asciinema replay:
So we can note each un-XORed char and reverse it:
1 | $ printf %s '}y1bm3sS4_n1_3d0c_sdNeg3l{ftcp' | rev |