Monday, June 17, 2013

3dub 4 - WRITEUP

In this challenge we were confronted with a standard Admin panel page:



Awesome page right?


If you click on "usernames.txt" you get sent to a getfile.php page that presents this page:

Well that's cool... let's change the filename GET parameter to "passwords.txt".





 So we messed around a bit and saw that the access code parameter was a md5 of the file name.

So when we changed the md5 to passwords.txt's md5 (b55dcb609a2ee6ea10518b5fd88c610e)
and the filename to passwords.txt we get access to the passwords.txt page:
Well that looked too hard (SHA  512) for our simple minds  to break. So we decided that we should just go look around a bit at other pages since we can access any page we want so we looked at the login page:


Well since there is no auth code on this page it must have been a red herring, good thing we didn't try decrypting those passwords. With only one page (that we know of) left to check we looked at the getfile.php page:

We see there is a key page that we can't access directly but instead it produces an encrypted version of the key.txt using a random seeded value as the key to encrypt as well as base64encoding the encrypted text. We went and got the encrypted string by accessing key.txt ('IC7U94oEd1fDqQvxz6ub0RQ6IdJXfbgAqV+FxpxXMnGwLplE37Hjc+X7OwruViqvDYyyI8nFjRaDmMgPWvNoFA==)

Since the string was encrypted with PHP (and our Python was bad and we should feel bad) we thought it would be easier to decode it with PHP. But first we need to get the seed value for random so that we can guess the encryption key. The seed value is based off UNIX EPOC time from the time() function in PHP. So it creates the seed based off the time the page is loaded. So we can totally guess this seed now. We get our time in EPOC minus a few hundred for sanity reasons and brute force every seed value till we get the right answer. code to win:
function aes_crypt($data,$key)
{
    // if $encrypted is HEXed, then return it to binary
  // $encrypted = pack('H*',$encrypted);


    $cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
   return base64_encode($cyphertext);
}


$base = '137135834310';
function aes_decrypt($encrypted,$key)
{
    // if $encrypted is HEXed, then return it to binary
  // $encrypted = pack('H*',$encrypted);
   srand($key);
   $actkey=rand();
    return mcrypt_decrypt(MCRYPT_RIJNDAEL_128,$actkey,$encrypted,MCRYPT_MODE_CBC);
}



$data = 'IC7U94oEd1fDqQvxz6ub0RQ6IdJXfbgAqV+FxpxXMnGwLplE37Hjc+X7OwruViqvDYyyI8nFjRaDmMgPWvNoFA==';
$test='N8cPv8v53UiO3m1WDxnuFg==';
$i = 1371311111;
$fp = fopen('data.txt', 'w');
while ($i < 1371999999){
   print "$i<br>";
   //print aes_crypt("The flag is:",'2234');
   $decode = aes_decrypt(base64_decode($data),$i);
   //print "$decode<br>";
   $i++;
   //print time();
   fwrite($fp, "$decode\n\n");
}
fclose($fp);
 



No comments:

Post a Comment