Itemize

Defensive 100 TMCTF 2016 Online Qualifier

31 Jul, 2016
1 minute read

Defensive 100 TMCTF 2016 Online Qualifier

Decode me!

Decodeme_decodeme.php

Original file: http://www.mediafire.com/download/anbgtymb968km88/files5.zip

After decrypting the code we are met with the following php-script (edited for readability)


<?php
$GLOBALS['key'] = "6c7f4d49729e58d7a458999b570e0151bc034ca7";
$func="create_function";
$decodeme=$func('$x','eval("?>".gzinflate(base64_decode($x)));');
$decodeme("bigstring")
?>

(Sidenote: bigstring is a large string - a way to obfuscate the php script.) Running the script presents us with the following page:

bilde1

Echo the bigstring decoded:


<?php
$bigstring = "bigstring";
echo gzinflate(base64_decode($bigstring));
?>

We get a full webpage including base64-encoded images, and a simple webshell. Including a reference to https://github.com/b374k/b374k.

The interesting part however is this:


function chk_password(){
    if(!isset($GLOBALS['key'])){ die(); }
    if(trim($GLOBALS['key'])==''){ die(); }
    $glob = $GLOBALS['key'];

    $post = '';
    $cook = '';
    if (isset($_POST['key'])) { $post = $_POST['key']; }
    if (isset($_COOKIE['key'])) { $cook = $_COOKIE['key']; }
    if ($cook==$glob) { return; }

    if($post != ''){
	    $key = sha1(md5($post));
        if($key==$glob){
		    setcookie("key", $key, time()+36000, "/");
            $qstr = (isset($_SERVER["QUERY_STRING"])&&(!empty($_SERVER["QUERY_STRING"])))?"?".$_SERVER["QUERY_STRING"]:"";
		    header("Location: ".htmlspecialchars($_SERVER["REQUEST_URI"].$qstr, 2 | 1));
        	$cook = $_COOKIE['key'];
	    }
    }

Which basically checks if sha1(md5(input in key field)) is equal to the key-variable, and if it is authenticates the user and shows the webshell “interface”. To see this I simply changed the key-variable to a sha1-hash of a md5-hash of a string I knew.

After finding no hint as to what the flag was, I decided to look at the images, which you could easily do if you edited the php-script setting a $_REQUEST[‘cmd’] variable to certain strings. List of the commands:

[showcontact, showsupport, showlock, buylicense, whoauthor, getversion]

The images themselves didn’t show anything of note. Although the EXIF-data of the lock-image had an interesting Camera-model name.


<?php
eval(base64_decode("ZWNobyAnZmxhZyBpcyBzaGExKHBhc3N3b3JkKSc7"));
?>

Which evaluates to:

flag is sha1(password)

Finding the flag was then pretty simple. The initial page showed the text “enter **” leading me to believe that the password was 4 characters long. The password was then found by a simple python script (because fuck php)

from hashlib import md5, sha1
import random
import string
key = "6c7f4d49729e58d7a458999b570e0151bc034ca7"

alphabet = "abcdefghijklmnopqrstuvwxyz1234567890"
while True:
    candidate = ''.join(random.choice(alphabet) for _ in range(4))

    if sha1(md5(candidate).hexdigest()).hexdigest() == key:
        print "[*] PASSORD IS:  {}".format(candidate)
        break
        
        
# Output: [*] PASSORD IS:  h4ck

Flag: TMCTF{e17e98788d6b4ac922b2df100ef9398ae0f229ad}