Den of Evil

I wasn't sure what to expect with this one.   The Thermostat.   Android CTF... I didn't have a readily accessible android device... so initially downloaded the file.   Thermostat.apk   well, ok.   I started downloading nox from https://www.bignox.com/

However, while waiting for nox, I opened the apk using 7-zip.   I poked around to see if the flag was in plaintext in one of the files.   I eventually found 'classes.dex' and opened it just in notepad.exe on windows.   I searched for flag (forgot the ^flag^ or $flag$ just flag) and found a ton of them.   Eventually I cycled through and found both flags right next to each other.   Boom.   Easy squeezy.

From the hints, I'm guessing I was supposed to approach this a bit differently.   I never did get the APK opened.

Flag0 -- Found

• Communication is key


• Have you looked at what the app is sending to the server?

Flag1 -- Found

• Doesn't the MAC seem interesting?


• Access to the source code would help


• Check out the Android Quickstart video from Hacker101

Postbook... 7 flags at 4 points each.

The page looks like it can have a post timeline for posts you create, a way to sign in, sign up, etc.   After creating an account I can see the other posts and see there are users 'user' and 'admin'. 

First flag... log in as 'user'.  Brute force it a bit.. password is super simple.

Second flag... This involves checking post IDs that are not yours..   eg 0, 1, ...   Number 2 reveals a secret post and flag.

Third Flag.. you find by looking at the source when making a new post.   There is a hidden parameter to the post to set the user id.   Alter it so it doesn't match and boom.   Third flag.

Fourth flag... This one really needs a hint... 189*5 was what they gave.   Basically had to check that really high post number and boom.  Flag.

Fifth Flag... edit a post and then alter the parameters to specify someone else's post.   Flag.

Sixth Flag... This one and the next depend on you noticing that the posts and such use a sequence of funny hashes.   That those are always in the same order.   You can set your own cookie to another of the hashes in order to be signed in as another user. 

Seventh Flag
When you create a post and then delete it, it passes in some kind of oddball number, "a87ff679a2f3e71d9181a67b7542122c".   If you check a few single digits as MD5 sum you find '4' hashes to that one.

On this CTF you face a "What is your name?" and an option to download the binary. 

After downloading it and Ghidra, we open it up and see the name goes into a 0x20 buffer on the stack.   Ok, we should be able to overrun it and overwrite the return value.   After plopping in some characters it looks like I can enter 40 and on next one I get a 'segmentation fault' message.

Well, I dump the ROP gadgets, using 'ROPgadget --binary vulnerable-bin' command in Kali and take a further look.  Ok.. digging further into the binary, I see a 'print flag' function.  Ok, may not need the gadgets.

I just need to convert the address to the right order.   Basically, take 0x004006ee and convert to a 64 bit pointer that is url encoded.    %ee%06%40%00%00%00%00%00

Boom, it prints the flag.

Ok.. next challenge... they sort of took the previous one where you could create pages and edit them and wrapped it in a login screen so you have to log in to access them.

So... Fuck around with user name and password. After entering a funky character we find an error message :
Traceback (most recent call last):
  File "./main.py", line 145, in do_login
    if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 250, in execute
    self.errorhandler(self, exc, value)
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
    raise errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1")

Ok.. nice so... we see we have an admins database with username and password fields.

The basic idea is to use '; to end the previous statement, put in our own sql statement and then end with a comment character to get rid of the rest of the line.   That or we use ' and then additional text to modify the existing statement, but still terminate with comment to get rid of the unused part of the statement.   The base statement is grabbing the password from the table for the provided username.

I went way down the wrong way here... until I got a hint.   I found that I could drop the table and I tried to insert into the table and so forth.   None of that seemed to work.   I even tried to create other tables, to drop the original table and create a new one with known creds.... either I messed it up or there were protections to keep this from happening.   The hint was about union... so I went that route.

So... if we build a statement that returns some hardcoded text and then provide that same text as password, we will get logged in.    Used UNION to return 'foo' and boom.   First flag.   Also on that page is a hint to get 'the real login creds' ... crumb trail to the next flag?

While thinking about that... I played around and found I could post to page/edit/1 before I was logged in and got the next flag.   Also got a funky bit of base64 gunk as a session key... part of which decoded to json, {"admin" : "true"}     That might come in handy... Maybe I didn't need to log in and I just needed to set a session header like that?

Anyway... playing around with sql in the above statement...

SELECT password FROM admins WHERE username='' or password like "a%"# seems to return unknown user.. .but when I did it where it was LIKE "n%", that return invalid password.   So.. it seems I can figure out the password.   I played around with the %a, a%, and %a% type of combinations along with ' or LENGTH(password) = 4; statements and discovered that for me, the length was 6, it started with an n and ended with an e and contained e,i, k, l , n, o

Sweet, no duplicates... guessed, "nikole" and got it.    Now do the same for the username and found it had a, e, i, n, and r.   It started with i and ended with a and had 5 letters... so... "irena"?    Boom.  Logged in and got the flag.

Just got an email, probably legit, from Navy Federal, whom I have an account with.



Ok, given it is probably legit, you could click the link and find out... but one of the best ways to stay safe online, is.. DO NOT CLICK ON LINKS. OMG. Don't click links.

You have no idea where the link goes and what sort of malware exists at the other end.

Well, I've been doing CNO dev for a while but I've never really gotten into CTF stuff.

So.. hacker one has a CTF.

Level : Trivial
Some mostly blank page. view source in chrome. I hope these aren't browser dependent. Anyway.. it loads a boring background image and has some dire warning about getting stuck. I try to navigate to other resources. I try to view the image separately incase its so huge it has stuff off the edge or has text imbedded in the jpeg. That is where the flag is. Ok. Pretty easy.

Level : Easy, Micro CMS v1
A series of pages. There is a main page with a listing of sub page titles. There is the option to view a page or create a new page. When on a page you can edit the title and body.

I create a couple pages and notice the page number is discontinuous. I manually load a couple of the missing pages and eventually stumble upon one that is different and A flag is there. This challenge has 4 flags. Problem is sorting out where each might be.

Moving on, I edit a page a bit and notice script tags get removed/scrubbed. It also supports some sort of markdown. I eventually manage some image tag XSS and get the second flag.

The third flag is XSS in the title that then gets executed on the main page in the page listing. Ok, 3/4 down.

The last flag takes quite a bit of bumbling around in the wrong area. Even with the hints, I glossed over the area with the flag but totally missed it for hours. But, I was so close, I'm sort of angry it took that long. Its a type mismatch error thing in the URL.

I started poking at cross site scripting, XSS, and found this benign one. The idea is to make it run code that you pick. You can basically craft a url that it uses and runs code, so you could take over page formatting and make it force a log-in and send the creds to another URL.

http://www.coyotecode.net

You can roll dice, like for play-by-post games.

You can name each roll and provide notes. Then you can lookup the roll by number and your data is saved in the database. There may be SQL injections here... but I'm simply poking at the XSS part. User input data isn't scrubbed enough on name input and on the landing page, name because a link.

So, if we make the name of the roll :
f"onmouseover="alert(1)

When you lookup the roll and mouse over the link, it runs our script to display an alert of "1". Here is a saved roll showing it working. http://www.coyotecode.net/roll/lookup.php?rollid=219494

I basically looked at the generated source and figure out what I had to type to alter the HTML/DOM to have my code in there.

I had to change this :
<a href="http://roll.coyotecode.net/lookup.php?rollname=NAME">NAME</a>

Into this :
<a href="http://roll.coyotecode.net/lookup.php?rollname=f">f"onmouseover="alert(1)</a>

The idea was provide a short name, f, in this case, then a quote and then set a new attribute on the link, the mouse over scripting. It inserts a "> at the end of the name, so I leave the final end quote off of "alert(1)". I thought I needed the space between " and onmouseover but it turns out you don't and the browser inserts it for you, thanks Chrome.

My son, Micah, decided to join the run club at school. They are going to train for a 5K. Well, he can't go alone, so I got volunteered. Now I'm getting off my ass to run too. Ran to work this morning using some free C25K app. Hilarious grammar and pronunciation errors as you would expect from a chinese app. One of the reviewers said they had trouble understanding the thick british accent. LOL. Someone thought it was british. Very obviously chinese or maybe japanese.

I walked home too as I could stand the thought of running in my work clothes. Tomorrow is International Bike/Walk to school day. So I'm walking the kids to school and then I'll walk/bike to work. Assuming I can even walk after today's effort.

A day and a half until the kids get here. I can't wait. I'm loading up the MP3 player that my mom bought Aiyre so she'll have her favorite songs already loaded and ready.