Here are few Writeups for CSAW CTF. We participate as dcua team, group of awesome people trying the best effort for the challenges.

 

Web 100

Solver: Aaditya Purani

Task : Orange V1

http://web.chal.csaw.io:7311/?path=orange.txt

At first the challenge points was 400, the time when I solved. Later the points were shifted to 100. We can notice here that the path is fetching orange.txt and display it. This is called ‘File Inclusion’. As mentioned in the text of the challenge our goal is to read flag.txt which in result would be the solution to this challenge. Before a month, I read the Presentation of Orange Tsai in Black-Hat and kept that in my notes thinking it might appear in a CTF someday, and today was the day.

Here is the talk : https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

On Slide #40 , he explained NodeJS Unicode failure. You may find the fullwidth latin capital letter n here

http://graphemica.com/%EF%BC%AE

The representation in UTF-16 (hex) for the letter is 0xFF2E or \xFF\x2E . As orange explained in his talk, this results into Unicode Failure while handling this and results into \x2E which is dot (.) . Now that, you understood the basics it’s finally time to exploit it.

For Black-Box Testing, my first approach to test any input is to determine it’s behavior. Let’s try this

http://web.chal.csaw.io:7311/?path=../orange.txt

We see output as WHOA THATS BANNED ! They must be having a black-list. So, I tried

http://web.chal.csaw.io:7311/?path=./orange.txt

That worked, after few more inputs. It seemed they are banned two consecutive dots. So, Now we can use the Latin n and dot to bypass and traverse back a directory.

http://web.chal.csaw.io:7311/?path=Ｎ./flag.txt

flag{thank_you_based_orange_for_this_ctf_challenge}

Bonus :

This was easy. If we have file inclusion that means we can possibly read the source code too. Why don’t do that for fun. First thing is to know what files are present in directory. So, we need to see whether server allows directory listing. You too can using

http://web.chal.csaw.io:7311/?path=#/flag.txt

We see different files, but none of them are important, so we traverse a directory back and see what’s inside it

http://web.chal.csaw.io:7311/?path=/Ｎ./#flag.txt

Great, we can see all the files but server.js is our point of interest. We can dump the file using

http://web.chal.csaw.io:7311/?path=Ｎ./server.js

and you get the source code of the challenge. Now, we can also analyse the code too

if (path.indexOf("..") == -1 && path.indexOf("ＮＮ") == -1) {
            //something cool
        } else {
            res.writeHead(403);
            res.end("WHOA THATS BANNED!!!!");
        }
    }

Now we can confirm that our Black-Box analysis was precise.

Bottom Line:

It would be a challenging question if Organizers have kept flag with a lengthy, unpredictable file name instead of flag.txt in a directory preceding to poems. That would need all solvers to do the bonus method which I showed to solve. Remember: Directory Listing is very useful.

WEB 300

Solver: Aaditya Purani

Task: Orangev3

http://web.chal.csaw.io:7312/?path=orange.txt

This one is relatively tougher. Even if you use single dot it blocks even this time it blocks Latin n.

http://web.chal.csaw.io:7312/?path=./orange.txt

After few trial and error, I concluded that any input with .txt would be good to go through the filter. But using it alone won’t help us to traverse. To traverse, you need dots or you can try different encoding and other fuzzy stuffs. But in this case, None of those work. So, let’s dive back to basics

We saw earlier how Orange’s Unicode Failure bug worked. What if the filter is now blocking the Latin n, the point to exploit remains that your Letter in UTF-16 should have \x2E. So we should find some more letters like the same.

This is the bible to find it: http://www.fileformat.info/info/charset/UTF-16/list.htm

This looks promising http://www.fileformat.info/info/unicode/char/012e/index.htm

http://web.chal.csaw.io:7312/?path=ĮĮ/flag.txt

flag{s0rry_this_t00k_s0_m@ny_tries…}

Bonus:

This one is fun. So, now I want to read the source code, you know that we need directory listing. This time # is blocked but %23 is not blocked.

http://web.chal.csaw.io:7312/?path=ĮĮ/%23flag.txt

Sweet, we can see the files. Point of Interest is server.js. Well, so straightaway you may try something as

http://web.chal.csaw.io:7312/?path=ĮĮ/%23server.js

That didn’t worked xD. This is why analyzing behavior is important. Read few lines above and you will see that .txt is only allowed. Now, server.js is not .txt. Null-Bytes to the Rescue  (not really ! )

The first thing in such scenario is to append %00

http://web.chal.csaw.io:7312/?path=ĮĮ/server.js%00.txt

Blocked ! Even though we have .txt null-byte fails miserably. So, is it the end of the road ? Nope. The solution is visible in the above URL itself.

Spoiler: Selectors (#)

I have used such bypasses before in real pentesting scenario and glad to find it in a CTF. So this should work right ?

http://web.chal.csaw.io:7312/?path=ĮĮ/server.js%23.txt

Blocked. What went wrong now ? The answer is that we are using two dots instead of one. Now, we can use the same Unicode Letter to Bypass it and that’s our final attack vector

http://web.chal.csaw.io:7312/?path=ĮĮ/serverĮjs%23.txt

 

 

Source Code (Snipped)

 if (no_ext.indexOf(".") == -1 && path.indexOf("ï¼®") == -1 && path.indexOf("%") == -1 && ext == '.txt') {
            // something cool
        } else {
            res.writeHead(403);
            res.end("WHOA THATS BANNED!!!!");
        }

Now, we can see how accurate Black-box analysis was. I wanted not only to show the solution/ writeup in boring way, but to explain the methodology behind it. Flags may fade away, but knowledge would never. Challenge would have been awesome if the flag name was random instead of flag.txt as that would force participants to think out of the box.

We Finished 8th Global and 4th in North America Undergraduate. Overall, the CTF was awesome.

Thanks to NYU for fun and pain for past two days. See you next in New York !