Writeup – CBC-MAC / Web1 (Nullcon IM)

This weekend, I participated in the Nullcon IM and Harekaze CTF challenges. Due to my own general laziness, and spending far too long farming a Legiana Gem, I only managed to solve one challenge worth writing about. Without further ado:

CBC-MAC / Web1

This challenge indicated that it was donated by PentesterLabs. I don’t know if it was modified for this challenge, but if you’re going through PentesterLabs now, I recommend giving this writeup a miss if you don’t want spoilers.

This challenge was presented a a web challenge, which allowed any user to log in with the password “Password01”:

Once we log in, we are provided with two cookies: iv, which looks like an 8-byte initialization vector, and auth, which contains a username and what looks like a signature.

The challenge text indicates this has something to do with CBC-MAC. Going to Wikipedia, we learn that if we can control the IV, we are able to exert some limited influence over the first block of data: that is, if we flip a bit in the first block, and flip the corresponding bit in the IV, the signature should still be valid.

We can do this in Burp Suite. First, log in with “bdministrator”. Then, decode the “auth” cookie, modify the user name to “administrator” and re-encode the cookie:

Now, do exactly the same to the IV. Note that you must flip exactly the corresponding bits, and that to change 62 to 61, you need to flip two bits (xor 0b11). This should log you in, and get you the flag:

As always, thankyou to the organisers of both CTF’s this weekend. Well done in particular to Nullcon, for rocking the boat by introducing multiple architectures for reverse engineering / pwn. I am pleased to have the opportunity to participate in these events, and to have technical challenges to amuse myself with and improve myself upon.

See you in Technex CTF (if time permits – 12 hours!) and TAMUctf 18. In the meantime, a thousand projects await:

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s