Saturday, October 2, 2010

CSAW CTF - Crypto Writeup (crypto1-crypto3): The easy way

UPDATE #1 (2010-10-06): Marcin has updated his blog with the description of all the CRYPTO challenges. Take a look here if you want to learn the proper way to solve that ;p.

UPDATE #2 (2010-10-11): The CSAW CTF Team has published the official solutions of all of the challenges. Take a look here.


First, thanks for CSAW team for creating this CTF, it was amazing :). Also, thanks to the people in my team, the next time we´ll do better ;p.

I'm usually scared of crypto challenges, but on CSAW i approach them on a creative/lazy way. Forget your crypto, the latest padding attacks and whatever. We are hackers, we usually find a way to solve things, but this time won't be on the elegant way ;p.

Do you want to solve 3 challenges (1200 points) on 30 min?

Challenge 1

After entering your username/team name, the server issue a new cookie (SID) that contains a value ciphered with Base64.

Looking at the page, we obtain a role=5, but we need to obtain a role 0 to obtain the key. So let's play a bit with the cookie, changing its values to see what happen...


Normal message:
  You're role is level 5, but you need a role level of 0 to continue (normal message)

Error messages:
  ('need more than 1 value to unpack',)

  Reason: Sorry, an error had occurred.

  Reason: Sorry, an error has occurred.  (strange, "has" instead of "had")

  File "csaw.py", line 372, in challenge1
    padding_length = struct.unpack("B", ptext[-1])[0]
IndexError: string index out of range


  File "csaw.py", line 367, in challenge1
    ptext = aes_decrypt(sid.value, CSAW_CRYPTO_1_KEY, codec='base64')

  File "/home/csaw/csaw/utils.py", line 122, in aes_decrypt
    raise IllegalBlockSizeError(16)
IllegalBlockSizeError: Input length must be multiple of 16 when decrypting with padded cipher


Ok, so we have an AES crypto scheme with padding, with a lot of error messages, but wait... As the application decrypt the cookie, can we manage to create a cookie which decrypted fool the application to give us a role=0?.

Let's launch Burp (an amazing tool, btw) and use the Intruder feature, selecting the payload "bit flipper". Burp will flip one bit of every char of the original cookie.

GET /challenge1 HTTP/1.1
Host: 128.238.66.100:30008
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: SID=§1VPLGn4HRGWuoSZUKm1LJVCCQ00Wde6F7rF69B6lbdrcjfimsRn1fR5Xj-cMXacA6Tk0-nq-opzgBolRezQJ_Q§


We wait Burp to finish the attack, and after 688 request, we take a look of the results. Luckily, I found 7 different cookies values that give us the flag...

     Cookie: SID=1VPLGn4HRGWeoSZUKm1LJVCCQ00Wde6F7rF69B6lbdrcjfimsRn1fR5Xj-cMXacA6Tk0-nq-opzgBolRezQJ_Q

    Congratuations CHA (of team LENGE)!  You have successfully completed

       CSAW 2010 Crypto Challenge #1.

    Here's your flag: 43fb994b59e8bb99d99ef969d773ea98


Challenge 2

Similar challenge that before, however the previous trick is not working. However, on some errors it can be spotted the following error message.

   You're role is currently level L, however this area requires a role level of 0.

So, we managed to alter the level with a modified cookie. I analysed the cookie, looking for which modifications on the original cookie allows changing the user level.

On my case, seems that 3 chars could potentially affect the role level...
   Cookie:   c2=jif5p_ozkevQZR5PPRk1YOvFhXuguXGfRclYWXn8oadaFywF7jdTjEWDP3Km6775aSmy-sgPL7qgeD1Lo5eHNw

So, again, launch Burp and create an "Intruder attack", but this time, we'll create a brute force of this 3 characters, using the following charset [a-zA-Z0-9]. Yep, around 200k request, but we'll finish before that.

Launch the attack, and after 1800 requests we take a look of the results...
    Congratuations guest (of team guest)!  You have successfully completed
       CSAW 2010 Crypto Challenge #2.

    Here's your flag: 8ee38021f40ef94e6725e9be07b49951


We solved that! and around 20 requests (of 1800) gave the correct answer...


Challenge 3

I lost the logs for this challenge, but seem that it contains a critical bug. As it can be observed on the statistics, 33 Teams solved the CRYPTO 3, too high compared to the teams which solved CRYPTO1 or CRYPTO2 (16-18), so something was wrong with this challenge ;p.

If we read the tip from the previous challenge:
   
For the next challenge, you need to specify to impersonate the Administrator user
User 

Key  

So, if we issue the following GET request, we had been solved this challenge (observe that it's a silly modification of the username, from Guest to Administrator)

http://128.238.66.100:30008/challenge3?user=Administrator&key=NGmPjZ4zfUlwl4DJdyoCfw


Flag: 2051dfd6eba0c8e4a989a4a575501506

Conclusions

As promised, I solved the challenges very quickly (around 30 min):

13CRYPTO24002010-09-25 21:17:23
12CRYPTO13002010-09-25 21:30:27
14CRYPTO35002010-09-25 21:38:34

It is necessary to remember that sometimes it doesn't matter how you solve the challenges, just need to solve it quickly, specifically on CTF :).

7 comments:

  1. Solving the crypto challenges was even easier: lots of teams got caught by one of our XSS payloads from the webchallenges and left their cookies in our logfile. So I copied their cookie values to my browser and I could solve the crypto challenges just by visiting the challenges with the stolen cookies from teams that had already passed the challenge ;P

    ReplyDelete
  2. lol, that way to solve the challenges is much better that mine :).

    ReplyDelete
  3. 30mins :o waw! And I didn't know the burp trick, neat.

    @Reiners: indeed, well done :)

    ReplyDelete
  4. Nice writeup ;) Maybe you've forgotten about the bonus challenge, with ecb blocks substitution :)

    ReplyDelete
  5. I took a look, manage to do something, but it was not enough xD. I was completly focused (lost) on web300 and xss300.

    Yes, I'd like to see a writeup about the bonus challenge :)

    ReplyDelete
  6. Alex, I've posted a writeup on the challenges here:

    http://www.gdssecurity.com/l/b/2010/10/06/crypto-challenges-at-the-csaw-2010-application-ctf-qualifying-round/

    I wish someone would have said something about #3 (I patched this on my end, but never pushed the patch up to server) :(

    ReplyDelete
  7. @Marcin: Finally a proper description of the challenges, i read your post, very interesting.

    Btw, congratulations for PadBuster, it rocks :).

    ReplyDelete