This weekend, I participated in the Nullcon IM and Harekaze CTF challenges. Due to my own general laziness, and spending far too long farming a Legiana Gem, I only managed to solve one challenge worth writing about. Without further ado:
CBC-MAC / Web1
This challenge indicated that it was donated by PentesterLabs. I don’t know if it was modified for this challenge, but if you’re going through PentesterLabs now, I recommend giving this writeup a miss if you don’t want spoilers.
This challenge was presented a a web challenge, which allowed any user to log in with the password “Password01”:
Once we log in, we are provided with two cookies: iv, which looks like an 8-byte initialization vector, and auth, which contains a username and what looks like a signature.
The challenge text indicates this has something to do with CBC-MAC. Going to Wikipedia, we learn that if we can control the IV, we are able to exert some limited influence over the first block of data: that is, if we flip a bit in the first block, and flip the corresponding bit in the IV, the signature should still be valid.
We can do this in Burp Suite. First, log in with “bdministrator”. Then, decode the “auth” cookie, modify the user name to “administrator” and re-encode the cookie:
Now, do exactly the same to the IV. Note that you must flip exactly the corresponding bits, and that to change 62 to 61, you need to flip two bits (xor 0b11). This should log you in, and get you the flag:
As always, thankyou to the organisers of both CTF’s this weekend. Well done in particular to Nullcon, for rocking the boat by introducing multiple architectures for reverse engineering / pwn. I am pleased to have the opportunity to participate in these events, and to have technical challenges to amuse myself with and improve myself upon.
See you in Technex CTF (if time permits – 12 hours!) and TAMUctf 18. In the meantime, a thousand projects await: