Lawful Evil

Postbook... 7 flags at 4 points each.

The page looks like it can have a post timeline for posts you create, a way to sign in, sign up, etc.   After creating an account I can see the other posts and see there are users 'user' and 'admin'. 

First flag... log in as 'user'.  Brute force it a bit.. password is super simple.

Second flag... This involves checking post IDs that are not yours..   eg 0, 1, ...   Number 2 reveals a secret post and flag.

Third Flag.. you find by looking at the source when making a new post.   There is a hidden parameter to the post to set the user id.   Alter it so it doesn't match and boom.   Third flag.

Fourth flag... This one really needs a hint... 189*5 was what they gave.   Basically had to check that really high post number and boom.  Flag.

Fifth Flag... edit a post and then alter the parameters to specify someone else's post.   Flag.

Sixth Flag... This one and the next depend on you noticing that the posts and such use a sequence of funny hashes.   That those are always in the same order.   You can set your own cookie to another of the hashes in order to be signed in as another user. 

Seventh Flag
When you create a post and then delete it, it passes in some kind of oddball number, "a87ff679a2f3e71d9181a67b7542122c".   If you check a few single digits as MD5 sum you find '4' hashes to that one.

On this CTF you face a "What is your name?" and an option to download the binary. 

After downloading it and Ghidra, we open it up and see the name goes into a 0x20 buffer on the stack.   Ok, we should be able to overrun it and overwrite the return value.   After plopping in some characters it looks like I can enter 40 and on next one I get a 'segmentation fault' message.

Well, I dump the ROP gadgets, using 'ROPgadget --binary vulnerable-bin' command in Kali and take a further look.  Ok.. digging further into the binary, I see a 'print flag' function.  Ok, may not need the gadgets.

I just need to convert the address to the right order.   Basically, take 0x004006ee and convert to a 64 bit pointer that is url encoded.    %ee%06%40%00%00%00%00%00

Boom, it prints the flag.

Ok.. next challenge... they sort of took the previous one where you could create pages and edit them and wrapped it in a login screen so you have to log in to access them.

So... Fuck around with user name and password. After entering a funky character we find an error message :
Traceback (most recent call last):
  File "./main.py", line 145, in do_login
    if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 250, in execute
    self.errorhandler(self, exc, value)
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
    raise errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1")

Ok.. nice so... we see we have an admins database with username and password fields.

The basic idea is to use '; to end the previous statement, put in our own sql statement and then end with a comment character to get rid of the rest of the line.   That or we use ' and then additional text to modify the existing statement, but still terminate with comment to get rid of the unused part of the statement.   The base statement is grabbing the password from the table for the provided username.

I went way down the wrong way here... until I got a hint.   I found that I could drop the table and I tried to insert into the table and so forth.   None of that seemed to work.   I even tried to create other tables, to drop the original table and create a new one with known creds.... either I messed it up or there were protections to keep this from happening.   The hint was about union... so I went that route.

So... if we build a statement that returns some hardcoded text and then provide that same text as password, we will get logged in.    Used UNION to return 'foo' and boom.   First flag.   Also on that page is a hint to get 'the real login creds' ... crumb trail to the next flag?

While thinking about that... I played around and found I could post to page/edit/1 before I was logged in and got the next flag.   Also got a funky bit of base64 gunk as a session key... part of which decoded to json, {"admin" : "true"}     That might come in handy... Maybe I didn't need to log in and I just needed to set a session header like that?

Anyway... playing around with sql in the above statement...

SELECT password FROM admins WHERE username='' or password like "a%"# seems to return unknown user.. .but when I did it where it was LIKE "n%", that return invalid password.   So.. it seems I can figure out the password.   I played around with the %a, a%, and %a% type of combinations along with ' or LENGTH(password) = 4; statements and discovered that for me, the length was 6, it started with an n and ended with an e and contained e,i, k, l , n, o

Sweet, no duplicates... guessed, "nikole" and got it.    Now do the same for the username and found it had a, e, i, n, and r.   It started with i and ended with a and had 5 letters... so... "irena"?    Boom.  Logged in and got the flag.

Just got an email, probably legit, from Navy Federal, whom I have an account with.



Ok, given it is probably legit, you could click the link and find out... but one of the best ways to stay safe online, is.. DO NOT CLICK ON LINKS. OMG. Don't click links.

You have no idea where the link goes and what sort of malware exists at the other end.

Well, I've been doing CNO dev for a while but I've never really gotten into CTF stuff.

So.. hacker one has a CTF.

Level : Trivial
Some mostly blank page. view source in chrome. I hope these aren't browser dependent. Anyway.. it loads a boring background image and has some dire warning about getting stuck. I try to navigate to other resources. I try to view the image separately incase its so huge it has stuff off the edge or has text imbedded in the jpeg. That is where the flag is. Ok. Pretty easy.

Level : Easy, Micro CMS v1
A series of pages. There is a main page with a listing of sub page titles. There is the option to view a page or create a new page. When on a page you can edit the title and body.

I create a couple pages and notice the page number is discontinuous. I manually load a couple of the missing pages and eventually stumble upon one that is different and A flag is there. This challenge has 4 flags. Problem is sorting out where each might be.

Moving on, I edit a page a bit and notice script tags get removed/scrubbed. It also supports some sort of markdown. I eventually manage some image tag XSS and get the second flag.

The third flag is XSS in the title that then gets executed on the main page in the page listing. Ok, 3/4 down.

The last flag takes quite a bit of bumbling around in the wrong area. Even with the hints, I glossed over the area with the flag but totally missed it for hours. But, I was so close, I'm sort of angry it took that long. Its a type mismatch error thing in the URL.

I started poking at cross site scripting, XSS, and found this benign one. The idea is to make it run code that you pick. You can basically craft a url that it uses and runs code, so you could take over page formatting and make it force a log-in and send the creds to another URL.

http://www.coyotecode.net

You can roll dice, like for play-by-post games.

You can name each roll and provide notes. Then you can lookup the roll by number and your data is saved in the database. There may be SQL injections here... but I'm simply poking at the XSS part. User input data isn't scrubbed enough on name input and on the landing page, name because a link.

So, if we make the name of the roll :
f"onmouseover="alert(1)

When you lookup the roll and mouse over the link, it runs our script to display an alert of "1". Here is a saved roll showing it working. http://www.coyotecode.net/roll/lookup.php?rollid=219494

I basically looked at the generated source and figure out what I had to type to alter the HTML/DOM to have my code in there.

I had to change this :
<a href="http://roll.coyotecode.net/lookup.php?rollname=NAME">NAME</a>

Into this :
<a href="http://roll.coyotecode.net/lookup.php?rollname=f">f"onmouseover="alert(1)</a>

The idea was provide a short name, f, in this case, then a quote and then set a new attribute on the link, the mouse over scripting. It inserts a "> at the end of the name, so I leave the final end quote off of "alert(1)". I thought I needed the space between " and onmouseover but it turns out you don't and the browser inserts it for you, thanks Chrome.

My son, Micah, decided to join the run club at school. They are going to train for a 5K. Well, he can't go alone, so I got volunteered. Now I'm getting off my ass to run too. Ran to work this morning using some free C25K app. Hilarious grammar and pronunciation errors as you would expect from a chinese app. One of the reviewers said they had trouble understanding the thick british accent. LOL. Someone thought it was british. Very obviously chinese or maybe japanese.

I walked home too as I could stand the thought of running in my work clothes. Tomorrow is International Bike/Walk to school day. So I'm walking the kids to school and then I'll walk/bike to work. Assuming I can even walk after today's effort.

A day and a half until the kids get here. I can't wait. I'm loading up the MP3 player that my mom bought Aiyre so she'll have her favorite songs already loaded and ready.

The cat moved with me to my new home. I've missed him so much. Its nice to have a bit of the old home here with me even if my kids can't be here with me. Kitty is so friendly and tolerant of Lynne's 3 and 6 year old kids. The only problem is that their old Kitty was mean and pee'd a lot so they expect Kitty to misbehave too. We keep telling them that Kitty is a nice cat and doesn't do those mean things, but they don't seem to believe us.

I was reading facebook last night and saw a post by my brother where, amongst other things, he indicated that his mother, my stepmother, had past. This wasn't too much of a shock for me as my father had called the day before and had been very sad. He said that she wasn't doing well and doctors gave her 2-3 days to live. I was a bit shocked, but I guessed she had cancer. She'd been a smoker for as long as I knew her and had lived with my father who also smoked. Still, she was gone and I hadn't really prepared myself.

Now, I don't remember my parents ever being married. Dad and Denise, as I called her, were married when I was little. I don't remember, though they claim I was to be a ring bearer, at least until I chickened out. She spent 30+ years with my father, far more time that my mother ever had yet I feel I resented her for most of the time. I don't actively remember resentful thoughts, but I know acted like everything she did for me was wrong

I recall fabricating excuses to try and get my mother and father together at the same place so they might realize they were supposed to get back together. Having now been through my own divorce, I realize that just wasn't going to happen and my 10 year old mind was perfectly normal. I hadn't accepted it, the divorce that is, even though I couldn't remember them ever being together.

Every summer, I spent a month or so with Dad and Denise and their son, Moose, and Denise's kids from a previous marriage, Scott and Michelle. Several times I had to be sent home early because I was homesick. Really, it was probably just mostly stress from being on my own as an only child of a working, socially active, mother being forced into a home with two parents and three other kids.

I know now that Denise really tried to make things work and that she went out of her way while I was there to please me. Instead of taking advantage of it, I fought back at every opportunity. No I can't possibly eat a PB&J cut into triangles instead of rectangles. I didn't know it until last summer, but she and Dad were fighting for custody of me. I've since wondered how my life would have been different if they'd succeeded. Even as an adult, it never occurred to me that they wanted me to be there more than that one month a year. I managed to mess that up too as I got older. Once I was 16 I got a job over the summer and stopped going to Dad's house. I didn't even realize what I'd done until last year. I didn't realize the pain I caused him by taking away his one chance a year to see his son. I'm sorry Dad.

Around that time, as a teenager, I finally noticed that all the birthday and Christmas checks that Dad sent me were in Denise's handwriting. Those checks and cards and such continued through my adult life, always written by her hand. This is especially meaningful to me now, when my own kids have been taken from me. I know dad struggled to provide for the family and that the child support he was forced to pay Mom far exceeded what he paid each month for his other three kids. And still Denise sent some of the little money they had in the lean times.

For years I had referred to her as my wicked step-mother. I always dreaded visiting because she would be there. She would take an interest in my life and ask me questions and show genuine concern for me and I didn't like it. I wanted to see Dad and be left alone, or so I thought. I admit that her smoking also bothered me, particularly after I became an adult and no longer used to smoke. Still, she didn't deserve the title. She loved me and loved her own kids. I remember her picking through Moose's poop to find the little pink Barbie hairdryer that he'd swallowed and then washing it off and giving it back to Michelle. I'm not sure I'd do that for my own daughter.

Last summer, after settling the terms of my own divorce I went to Florida with my fiance. We took a day away from her kids and her parents and drove across the state to visit Dad and Denise and Moose and his kids and Uncle Eddie and Chris. Denise and I had quite a talk that day and I came to realize what I jerk I'd been to her for all those years. How I'd hated her and resented her for no reason. Sure, I was only a kid for part of it, but I never really gave her much of a chance. Here I was finally making friends with the woman. Making peace with her. Finally realizing that she was more of a partner to my father than my mother had been. Realizing that she had been the centerpiece of the home, decorating, clean, maintaining, sure, but welcoming, greeting, and caring for her guests as well. Apologizing for being the little shit she knew I'd been but loved anyway.

I didn't know that would be our last conversation. I know now you weren't wicked in the sense of the wicked witch, but wicked in the Boston sense. Wicked Good. Goodbye Denise, I'm sorry your journey ended just as I was finally starting to learn who you really were. I'll miss you.