UPDATE #2 (2010-10-11): The CSAW CTF Team has published the official solutions of all of the challenges. Take a look here.
First, thanks for CSAW team for creating this CTF, it was amazing :). Also, thanks to the people in my team, the next time we´ll do better ;p.
I'm usually scared of crypto challenges, but on CSAW i approach them on a creative/lazy way. Forget your crypto, the latest padding attacks and whatever. We are hackers, we usually find a way to solve things, but this time won't be on the elegant way ;p.
Do you want to solve 3 challenges (1200 points) on 30 min?
After entering your username/team name, the server issue a new cookie (SID) that contains a value ciphered with Base64.
Looking at the page, we obtain a role=5, but we need to obtain a role 0 to obtain the key. So let's play a bit with the cookie, changing its values to see what happen...
You're role is level 5, but you need a role level of 0 to continue (normal message)
('need more than 1 value to unpack',)
Reason: Sorry, an error had occurred.
Reason: Sorry, an error has occurred. (strange, "has" instead of "had")
File "csaw.py", line 372, in challenge1
padding_length = struct.unpack("B", ptext[-1])
IndexError: string index out of range
File "csaw.py", line 367, in challenge1
ptext = aes_decrypt(sid.value, CSAW_CRYPTO_1_KEY, codec='base64')
File "/home/csaw/csaw/utils.py", line 122, in aes_decrypt
IllegalBlockSizeError: Input length must be multiple of 16 when decrypting with padded cipher
Ok, so we have an AES crypto scheme with padding, with a lot of error messages, but wait... As the application decrypt the cookie, can we manage to create a cookie which decrypted fool the application to give us a role=0?.
Let's launch Burp (an amazing tool, btw) and use the Intruder feature, selecting the payload "bit flipper". Burp will flip one bit of every char of the original cookie.
GET /challenge1 HTTP/1.1
We wait Burp to finish the attack, and after 688 request, we take a look of the results. Luckily, I found 7 different cookies values that give us the flag...
Congratuations CHA (of team LENGE)! You have successfully completed
CSAW 2010 Crypto Challenge #1.
Here's your flag: 43fb994b59e8bb99d99ef969d773ea98
Similar challenge that before, however the previous trick is not working. However, on some errors it can be spotted the following error message.
You're role is currently level L, however this area requires a role level of 0.
So, we managed to alter the level with a modified cookie. I analysed the cookie, looking for which modifications on the original cookie allows changing the user level.
On my case, seems that 3 chars could potentially affect the role level...
So, again, launch Burp and create an "Intruder attack", but this time, we'll create a brute force of this 3 characters, using the following charset [a-zA-Z0-9]. Yep, around 200k request, but we'll finish before that.
Launch the attack, and after 1800 requests we take a look of the results...
Congratuations guest (of team guest)! You have successfully completed
CSAW 2010 Crypto Challenge #2.
Here's your flag: 8ee38021f40ef94e6725e9be07b49951
We solved that! and around 20 requests (of 1800) gave the correct answer...
I lost the logs for this challenge, but seem that it contains a critical bug. As it can be observed on the statistics, 33 Teams solved the CRYPTO 3, too high compared to the teams which solved CRYPTO1 or CRYPTO2 (16-18), so something was wrong with this challenge ;p.
If we read the tip from the previous challenge:
For the next challenge, you need to specify to impersonate the Administrator user
So, if we issue the following GET request, we had been solved this challenge (observe that it's a silly modification of the username, from Guest to Administrator)
As promised, I solved the challenges very quickly (around 30 min):
It is necessary to remember that sometimes it doesn't matter how you solve the challenges, just need to solve it quickly, specifically on CTF :).