writeups

SwampCTF 2018 - Write-up

noraj (Alexandre ZANNI)
, , ,
🇬🇧

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

  • Name : SwampCTF 2018
  • Website : swampctf.com
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

The Vault - Web#

Has it been days? Weeks? You can't remember how long you've been standing at the door to the vault. You can't remember the last time you slept or ate, or had a drop of water, for that matter. But all of that is insignificant, in the presence of the untold fortunes that must lie just beyond the threshold.

But the door. It won't budge. It says it will answer only to the DUNGEON_MASTER. Have you not shown your worth? But more than that, It demands to know your secrets.

Nothing you've tried has worked. You've pled, begged, cursed, but the door holds steadfast, harshly judging your failed requests.

But with each failed attempt you start to notice more and more that there's something peculiar about the way the door responds to you.

Maybe the door knows more than it's letting on. ...Or perhaps it's letting on more than it knows?

NOTE: DO NOT USE AUTOMATED TOOLS

http://chal1.swampctf.com:2694

-=Created By: juan=-

I began with the source:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[...]
<script>
function login(){
	var xhttp = new XMLHttpRequest();
	xhttp.onreadystatechange = function() {
		if (this.readyState == 4) {
			if(this.status == 200){
				alert(xhttp.responseText);
				window.location.href = 'https://youtu.be/rWVeZx2IP30?t=3';
			} else {
				alert('Invalid Credentials')
			}
		}
	};
	xhttp.open("POST", "/login/"+document.getElementById('inputName').value+"."+document.getElementById('inputPassword').value, true);
	xhttp.send();
	return false;
}

</script>
[...]

This looks like a very abnormal authentication scheme. I fired BurpSuite and made a request through the proxy:

1
2
3
4
5
6
7
8
9
POST /login/DUNGEON_MASTER.42 HTTP/1.1
Host: chal1.swampctf.com:2694
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://chal1.swampctf.com:2694/
Connection: close
Content-Length: 0

DUNGEON_MASTER is the username we must use and 42 is just a random password.

So I got the useless video. Then I sent the request to the Repeater of Burp to execute the request again and to analyse the server's answer.

The server answered me this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 294
Date: Fri, 30 Mar 2018 20:05:25 GMT
Connection: close

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>test_hash [73475cb40a568e8da8a045ced110137e159f890ac4da883b6b17dc651b3a8049] does not match real_hash[40f5d109272941b79fdf078a0e41477227a9b4047ca068fff6566104302169ce]</pre>
</body>
</html>

The real_hash must be some SHA-256, so I just asked CrackStation to give me the associated clear: smaug123.

Authenticate with those credentials and get the flag in an alert popup: flag{somewhere_over_the_rainbow_tables}.

Share