Damjan Cvetko

Damjan Cvetko

Developer, System Architect, Hacker.

Xmas CTF 2019 - Day 24

2 minutes read

Challenge: Santa thanks you all for all the help, dedication and all the challenges you have completed! Thanks again and don’t forget to check BSidesLjbuljana #CFP and sponsorship offers. Now Santa is already running late to some parts of the world but anyway it’s all about perfect timing! Enjoy the last challenge and see you at #BSidesLjubljana!

https://rudolph.bsidesljubljana.si

We get a page, with a selection of authers, if we select one, we get a quote of that author back.

Googling the listed authors we come to a wiki page: https://en.wikiquote.org/wiki/Slovenian_proverbs Well, we have 1997, 1998 and 2000. 1999 is missing. Wiki page says: Chapman (1999). That has to be the answer.

Not.

Looking a bit around the source, we find a commented out option:

  <label for="sel1">Quote (select one):</label>
  <select class="form-control" name="quote">
    <option>Paczolay, Gyula (1997)</option>
    <option>Strauss, Emmanuel (1998)</option>
    <option>Pogačnik, Faganel (2000)</option>
    <!--<option>Plečnik (1957)</option>-->
  </select>

I did all sorts of experments, and when I finally took a break and walked away, it hit me.

The page took a long time to load after I submitted one of the options, but did return right away, when I sent Plečnik (1957).

Also, the page worked so that the author was POSTed, then you got redirected back and you GET the page. And there were these “Invalid session” situations.

I realized it was a race condition situation. I figure the code went something like this:

POST:
 read quote, save to session

GET:
 1. read quote from session
 2. check permissions (quote == Plečnik) then "Access Denied"
 3. sleep(1)
 4. Read quote from session
 5. lookup answer

If you open two windows, make sure both have the same session cookie. Kick of one request in the first, and while the first request is processing, in the other window post Plečnik (1957), you get the flag in the first one. I did all this from shell, but it can also easily be done in a browser.

Flag: xmas{T1m3_iS_oFF_the_E55ense_t0_saVe_christmas}

What did I learn: Dober pocitek je pol dela. Kar mlade ne vedó, jim stare provedó. Kdor drugemu jamo koplje sam vanjo pade.

Recent posts

See more

Categories

About