Writeup: bounce_the_flag

OSUSEC CTF League is back, baby! And it’s on Mondays! Piping hot writeups are back on the regular menu and we’re getting right into things with a classic SQL injection.

The challenge: “Let’s kick things off with one of my favorite classic games: Bounce the Flag! Bounce the flag is an immersive hyper-realistic gaming experience blah blah blah. One of Bounce the Flag’s most celebrated competitors, Mr. Flag, blahdie blahdie blah, forgot the password to his account, blah blah blah”

Forget about all that stuff – It’s gaming time!

Sweet! High score!

Awesome! I just got a high score! Time to record this epic win on the Bounce the Flag HOF!

What?! I definitely typed my password in right, but I must not have an account. I’m mad! This piece of gaming history deserves to be on the leaderboard! I’m gonna get this score up on the leaderboard, mark my words.

Luckily, we have access to the source code of the server and have been told ahead of time that the server is vulnerable to SQL injection 😀

username = request.form['username_input']
password = request.form['password_input']

res = sql_fetchall(
        connection,
        f"""
        SELECT score, game_time
        FROM users
        INNER JOIN games
        ON users.id = games.user_id
        WHERE username = '{username}' AND password = '{password}'
        ORDER BY game_time
        """
    )

Our opportunity lies in the unsanitized username and password field. Submitting

Mr. Flag' -- 

gives us the message “Pfffffft you call that a high score?!! Try again when you score at least 1337 points!”

As the score is held client-side, opening up the dev console and entering score=1338 is enough to log in and save our score.

If we can modify our username or password to break the SQL request for the stats page, we’re golden.

I had trouble crafting the username statement, so I switched to putting the exploit in the password, with the final exploit being:

Username: Mr. Flag
Password ' or 1=1 union select password,username from users -- 

/etc/fstab for ENGR servers

I had some trouble getting set up with the ENGR servers from my Arch Linux laptop.

What I was trying: smbclient //stak.engr.oregonstate.edu/users/ONID -U ONID@oregonstate.edu, and various permutations.

Eventually, I found that smbclient '//depot.engr.oregonstate.edu/users' -U=ONID@oregonstate.edu was successful. Note that appending /ONID to the path didn’t work, and this solution requires cding into your ONID directory.

So that worked, but I wanted to be able to run mount /mnt/engr, so I created an fstab entry.

//stak.engr.oregonstate.edu/users/ONID /mnt/engr cifs _netdev,nofail,uid=paul,gid=paul,credentials=/etc/samba/credentials/engr 0 0

This requires a file called /etc/samba/credentials/engr, which should have strict permissions and look something like

username=ONID@oregonstate.edu
password=hunter2

Now, sudo mount /mnt/engr will get you access to your remote directory!

Writeup: Target Practice

This was my first time getting first blood with my team, so I’m excited to write it up. OSINT challenges have a lot of collaboration opportunities, and our first blood was due to some good teamwork.

Challenge Description: Can you help me find the full name of the person behind the alias “anonhunter26”? This link might be helpful: https://osintframework.com/ Submit flag as osu{firstname_lastname}

Looks like we’ve got to track someone down given their username. Before doing anything, I checked for a twitter account. The bio states that our target is a “Senior software developer at a small startup.” Looks like finding the company might be our secondary goal. Scrolling through the rest of the account, we see reference to a “coworker and good friend” whose handle is @hatebav2ropc. Neither of these accounts follow or are followed by anyone, and their likes are relevant to infosec but not helpful in identification.

Looks like “hatebav2ropc” might give us a clue, though, so let’s gather some information. https://whatsmyname.app/ shows that hatebav2ropc exists on GitHub. There is only one repository, with two commits. Clicking on a commit and adding “.patch” to the URL gives patch information.

From b8e908c74c182c73d840192cd89d3f27b5177641 Mon Sep 17 00:00:00 2001
From: Anonymous <anonymousfreak32@gmail.com>
Date: Fri, 24 Sep 2021 23:57:15 -0700
Subject: [PATCH] Fixed line formatting

We’ve got an email! Looking at it with https://tools.epieos.com/email.php shows that the account belongs to someone named Gabriel Cortney.

Using Twitter search for “Gabriel Cortney” reveals a more professional Twitter account, whose bio states that Cortney is a “Lead security analyst for @opticalsocial.” The company’s Twitter account is followed only by Cortney and a man claiming to be the CEO. We’re looking for a senior software developer, so we might take our new information back to Github.

Searching for “opticalsocial” on Github gives us one user in the results: Oswald Denman, a senior software developer.

Submitting the flag osu{Oswald_Denman} is a success!

Writeup: Ultrasecure

In this challenge, we are given a binary and the instructions to “Use pwntools and ghidra to reverse engineer and break into the ultrasecure(tm) vault!”

Let’s check it out!

Running the binary gives us the output:

$ ./ultrasecure
Prove that you are not human, repeat this to me in less than .05s: 1626412526
1626412526
Whoops, too slow

Looks like my reflexes aren’t quite fast enough, so we’ll have to automate the nonce. This is a good time to use pwntools! First we’ll connect to the binary, and then we’ll read in and repeat the nonce back. The code for the nonce looks like this:


nonce = conn.recvline()
nonce = nonce.split()
nonce = nonce[-1]
# Sends line
conn.sendline(nonce)

Running this script gives us

You passed the nonce check! Now, Unlock the UltraSecure(tm) Vault:
$ password
Whoops, wrong password :(

Firing up Ghidra gives us a password_check function, which contains the lines below.

  
  local_c = -0x21524cc1;  
__isoc99_scanf(&DAT_00400b9f,&local_3c);
  if (local_c == local_3c) {
    print_flag();
                    /* WARNING: Subroutine does not return */
    exit(0);
  }

-0x21524cc1 = -559041729, so we’ve got our password! Entering it after running our script gives us access to the flag.

Writeup: Hash Browns

In our first OSUSEC challenge of 2021, we were given the instructions to “open the linked website in your browser. Good luck!”

Opening the link in Firefox, we reach this site prompting for a password.

My spidey-senses tingling, I opened inspect element. This revealed some javascript that activated when the submit button was pressed:

function check_password() {
  let password = document.getElementById("password").value;
  let hash = get_sha256(password);
  if (hash == "b0fef621727ff82a7d334d9f1f047dc662ed0e27e05aa8fd1aefd19b0fff312c") {
    document.getElementById("login").submit();
  }
}  

We see that there is a sha256 hash in the script. Using Hash Toolkit on the hash reveals that the password is “pineapple.” Hit submit, and getting the flag should be trivial from here!

Looks like we’re in for a bit more! We’ve got to click the link, which is twisting and turning all about the webpage. We can either click it (the fun way) or pretend to click it (the 1337 way).

Looks like it calls a function called print_flag(), which can be entered using the web console. After this function is called, the text “Get the flag!” is replaced with the flag. Hitting Ctrl-A selects the text, which can then be copied and submitted!

This was a fun, goofy introduction to OSUSEC, and I enjoyed my first-ever CTF challenge 🙂

OSU LUG

I’ve been enjoying Oregon State’s Linux Users Group. I’ve been to two meetings, the most recent one being “How Linux Loads Programs.” I came into the talk knowing practically nothing about the subject, but the presentation was so information-dense that I now feel capable of giving a (less masterful) explanation to any of my classmates. Thanks, Gabriel!

I’m surprised every time at how easy it is to pay attention during the presentations. I focus throughout the entire demonstration, which lasted a bit over an hour. I’m hoping that as I proceed through my degree I’ll be capable of enjoying my classes as deeply as I do attending nerd clubs, but until then, I’ll save my brainpower for 6pm on Thursdays.