Writeups – Diary, Isoar (Midnight Sun CTF Quals)

This weekend, I attended the BSides Australia 2018 conference. This was another iteration on an already excellent con, with numbers expanding year on year. It is always good to have the opportunity to meet up with people I haven’t seen in a long time: I probably had more productive meetings on the second day of the con than one entire week at my day job.

On Sunday, I participated in the Midnight Sun CTF Quals. This was a well-structured CTF, with a good variety of challenges leaning towards the difficult end. Unfortunately, I was only able to solve a few challenges: here are the writeups for them:

Diary

The Diary challenge was presented as an archive, containing a Git repository, which you can download here.

In this archive, there is “diary.txt” and “wishlist.txt”. Opening up “diary.txt” reveals the following:

Unfortunately, the Git repository seems to be corrupted:

A little bit of Google reveals a way around this: we run “git fsck”, revealing an interesting dangling commit:

We can directly check out the dangling commit despite the git log being broken, and then git checkout to the entry pointing to April 11th, revealing the flag:

Isoar

The Isoar challenge was presented as a web application, allowing users to check the strength of their password against a list of 1001 passwords, one of which is the administrator’s password.

When a password is submitted, the page returns one “fact” about the password, and a score:

The goal was to obtain the administrator’s password. Inspecting the page source, we can see some interesting files:

The “app.js” file shows us how to check for a user’s password and how to log in, while “pwmeter.js” is an obfuscated JavaScript file which shows us how to generate a proof of work for these actions (based off a randomly salted SHA hash of the password you want to test).

A little bit of further exploration reveals 1000 of the passwords, in the file “/public.password.list”.

From here, we have enough to execute the attack: we simply generate “test” requests for a given character, say “a”, until it tells us how many passwords (from the list of 1001) are suffixed with “a”: we then check this against the list of known passwords. We repeat this for each character, until one of the results does not match our own generated results – we instantly know that this is the suffix of the administrator’s password.

Two hours of brute forcing later, and we know the administrator’s password ends with “rHolyP4ssw0rd”. Some guesswork later, and we get the flag by submitting a login request with “H3rHolyP4ssw0rd”:

You can find the Python scripts I used for this solution here and here.

Thankyou to the organisers of this CTF – I enjoyed this experience. That said, I grow weary of competing by myself once more – it is my intention to restart farmingsimulator2015 (in one form or another). More thoughts on this later – the clock ticks on for WPICTF, and my projects won’t complete themselves.

See you in WPICTF.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.