Damjan Cvetko

Damjan Cvetko

Developer, System Architect, Hacker.

Xmas CTF 2020 - Day 14

3 minutes read

Challenge: Santa’s elves created a brand new API for naughty and nice list at http://elfs.owasp.si:8000/ with advanced protections. But did they get the protections right? Be nice.

The url takes us to a page with some text, but no other clues.

After trying some obvious paths, like /api, /list looked for something more systematic. I found that the usual tool for this kind of CTF is wfuzz. I have not used it yet, so had to learn a bit.

You give the tool a word list, url with a FUZZ placeholder and then tell it what results to look for, or ignore, in form of:

  • specific HTTP codes
  • specific ines/words/chars number

The are loads of other options, but this is what I needed.

$ wfuzz -z file,raft-small-words-lowercase.txt --hc 404 http://elfs.owasp.si:8000/FUZZ
********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer                         *
********************************************************

Target: http://elfs.owasp.si:8000/FUZZ
Total requests: 38267

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000462:  C=200      0 L       12 W          142 Ch        "submit"

Ok, so we got the url, now we see:

Arguments list, iv and hmac are required. Example values naughty=1&nice=2, 00000000000000000000000000000000, 23e75787ce7a289a4fb0bff3973ae5c0.

iv? hmac? Some predefined values. More cracking? So, following the “documentation” we try:

http://elfs.owasp.si:8000/submit?list=naughty=1&nice=2&iv=00000000000000000000000000000000&hmac=23e75787ce7a289a4fb0bff3973ae5c0 and get

Args not ok.

Hum, oh, let’s escape that & into %26.

http://elfs.owasp.si:8000/submit?list=naughty=1%26nice=2&iv=00000000000000000000000000000000&hmac=23e75787ce7a289a4fb0bff3973ae5c0

Args ok, signature valid but you've been naughty.

Mind you, it took a long time to even get here, because I was looking at the framework Werkzeug/0.14.1 Python/2.7.15 and trying different attacks there. Seems to be popular with CTFs.

Since we know now that we can put something into list argument and must provide appropriate iv and hmac the next block of hours was spent trying to understand what type of HMAC if was (looks like HMAC-MD5) and how to brute force the key out of it, and how IV figures into all of this.

At one point I figured that if I don’t input IV and HMAC in correct format, we get a 505, but again, dead end, until I tried empty values for them and got again a Args ok, signature valid but you've been naughty. response.

Apparently “did they get the protections right?” implies they just skip signature checks if they are empty and not some sort of advanced cryptography misuse.

I tried fuzzing again the list parameter, but did not get anywhere with normal word lists. I got a hint to look at the current provided format. I made a special word list:

naughty=0%26nice=0
naughty=0%26nice=1
naughty=0%26nice=2
naughty=0%26nice=3
naughty=0%26nice=4
naughty=0%26nice=5
...
naughty=1%26nice=0
naughty=1%26nice=1
naughty=1%26nice=2
naughty=1%26nice=3
...

And tried that:

$ wfuzz -z file,nn.txt --hw 8 "http://elfs.owasp.si:8000/submit?list=FUZZ&iv=&hmac="

********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer                         *
********************************************************

Target: http://elfs.owasp.si:8000/submit?list=FUZZ&iv=&hmac=
Total requests: 10000

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000202:  C=200      0 L        1 W           26 Ch        "naughty=2%26nice=1"

Result was the flag.

Flag: xmas{Cbc_hmAC_1s_nauGhty!}

What did I learn: wfuzz tool.

Recent posts

See more

Categories

About