The Problem:

Selection_001

(Yes every problem is robot/beer related)

The (probably mspaint) webpage

The (probably mspaint) webpage, the newspaper secretly gives you a hint of the problem at hand. (Sneaky isn’t it?)

Here is what happens when we enter in a password:

Selection_004

Let’s dive into the source shall we?

Selection_005

Ooh, key.js – looks like something we’d be interested in!

Do you see it?

Do you see it?

Take a look through the source, you’ll notice something very particular. Bring your attention to:

Selection_007

It appears when this webpage was created the admin had a debug feature built in. This will probably give us a bit more data!

This script takes one argument and submits it with the debug variable set

We get this as an output:

Selection_009

 

Interesting, so we get two floats along with our response/success boolean. It would appear that this will show you how long the password check took.

Any ideas? I smiled on this problem because it’s very cool (at this point I had it figured out). Basically the idea is the program will stop checking the password once it encounters the first bad character.

Something like this:

Password = test

User input = tango

Computer says “Yep he’s got the t, that matches…Oh! ‘e’ isn’t correct, no need to go any further – stop execution and alert user of bad password.

So logically whatever character takes the longest for the program to compute is the correct letter! This is what is known in cryptography as a side channel attack.

Theory seems sound, let’s code it!

Selection_010

Simple function to try a key and return only relevant data from response

 

Infinite loop to try everything in character set and use whatever took the longest amount of time

Now that we have our code, let’s run it and hope for the best (or at least get a better picture of how this works if you haven’t gotten there yet!)

Selection_012

Selection_013

Character “A” had the longest load time

 

Selection_014

Ever closer! (Hope are charset is good!)

A_Few_Moments_Later

GOT IT! Thanks to our code alerting us when the password was good

Got it! Out comes our key and we’ve solved the challenge. This was very cool for me because it was a practical example of a side channel attack which I’ve always found very interesting. :)

Hope that elaborates clearly enough – any questions or comments please let me know!

Till next time,

-mandatory

 

I decided that this post should could be summed up pretty quickly with just a few pictures, so I’m doing this in more of a blurb format than a blog post :)

The challenge:

Selection_004

This was to allow some wiggle rooms for teams solving the same challenges.

 

geoSelection_005

Loved this challenge, was a lot of fun brainstorming ideas!

 </p>

 

Pharming my blog readers (sorry about that)

#

Sorry guys, CTF fever!

 

 

 

Luring people to my blog via Reddit posts and false Pastebin(s)

geoSelection_003

Selection_001

 

Creating a script to use all international TOR exit nodes

 

Tmux is the best thing since sliced bread

Tmux is the best thing since sliced bread

Mild amounts of proxy scraping

Pretty fruitless attempt sadly (already had many countries at this point)

Pretty fruitless attempt sadly (already had many countries at this point)

#

Making my forum signature image the “secret” link

geoSelection_006

(This works because the browser still does an automatic GET request for images, regardless of whether or not they are actually a proper image format). I ended up stirring up an international thread on the forum I used just to obtain more obscure country flags 😉

Again, sorry about farming you guys for flag points but their was no malware or anything – just a small bit of JSON!

Till next time,

-mandatory

So I was screwing around with Android app hacking and I figured the Snapchat App for Android would be a cool read. While I was originally more interested in reversing the app and making a script to automate Snapchat it turns out someone has already done it: https://github.com/dstelljes/php-snapchat

Dang it!

The process was no a complete waste however, as I stumbled upon something very weird…

Note: To get this source for yourself you’ll need to get the Snapchat APK. Then use dex2jar to create a .jar file, now you can use a Java Decompiler to view the source (in Java). This is possible because Java compiles into bytecode (an intermediary language) and not into machine code.

If you check under the “ui” package:

Selection_024

You’ll notice this:

Selection_023

 

Here is the weird code I’ve found:

package com.snapchat.android.ui;

import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.os.Build.VERSION;
import android.preference.PreferenceManager;
import android.view.MotionEvent;
import com.WazaBe.HoloEverywhere.widget.Toast;
import com.snapchat.android.util.ApiHelper;

public class PressureCooker
{
  private static final float MAX_OUTPUT = 40.0F;
  private static final float MIN_OUTPUT;
  private Context mContext;
  private CropProcessor mPressureProcessor;
  private LowpassProcessor mSizeProcessor;

  public PressureCooker(Context paramContext)
  {
    this.mContext = paramContext;
    SharedPreferences localSharedPreferences = PreferenceManager.getDefaultSharedPreferences(paramContext);
    this.mPressureProcessor = new CropProcessor(localSharedPreferences.getFloat("HISTORICAL_LOW_PRESSURE", (0.0F / 0.0F)), localSharedPreferences.getFloat("HISTORICAL_HIGH_PRESSURE", (0.0F / 0.0F)));
    this.mSizeProcessor = new LowpassProcessor(localSharedPreferences.getFloat("HISTORICAL_LOW_SIZE", (0.0F / 0.0F)), localSharedPreferences.getFloat("HISTORICAL_HIGH_SIZE", (0.0F / 0.0F)));
  }

  private float lerp(float paramFloat1, float paramFloat2, float paramFloat3)
  {
    return paramFloat1 * (1.0F - paramFloat3) + paramFloat3 * paramFloat2;
  }

  public float getFiltered(MotionEvent paramMotionEvent)
  {
    if ((Build.VERSION.SDK_INT >= 14) && (paramMotionEvent.getToolType(0) == 2));
    for (float f = this.mPressureProcessor.getFiltered(paramMotionEvent.getPressure()); ; f = this.mSizeProcessor.getFiltered(paramMotionEvent.getSize()))
      return lerp(0.0F, 40.0F, f * (f * f));
  }

  public float getHistoricalFiltered(MotionEvent paramMotionEvent, int paramInt)
  {
    if ((Build.VERSION.SDK_INT >= 14) && (paramMotionEvent.getToolType(0) == 2));
    for (float f = this.mPressureProcessor.getFiltered(paramMotionEvent.getHistoricalPressure(paramInt)); ; f = this.mSizeProcessor.getFiltered(paramMotionEvent.getHistoricalSize(paramInt)))
      return lerp(0.0F, 40.0F, f * (f * f));
  }

  public void onPause()
  {
    SharedPreferences.Editor localEditor = PreferenceManager.getDefaultSharedPreferences(this.mContext).edit();
    localEditor.putFloat("HISTORICAL_LOW_PRESSURE", this.mPressureProcessor.mLowestInput);
    localEditor.putFloat("HISTORICAL_HIGH_PRESSURE", this.mPressureProcessor.mHighestInput);
    localEditor.putFloat("HISTORICAL_LOW_SIZE", this.mSizeProcessor.mLowestInput);
    localEditor.putFloat("HISTORICAL_HIGH_SIZE", this.mSizeProcessor.mHighestInput);
    ApiHelper.safeSharedPreferencesSave(localEditor);
  }

  public void resetLowPassFilter()
  {
    LowpassProcessor.access$002(this.mSizeProcessor, (0.0F / 0.0F));
  }

  private class CropProcessor
  {
    private static final float DEFAULT_VALUE = 0.01F;
    private static final int INITIALIZATION_SAMPLES = 400;
    public float mHighestInput;
    public float mLowestInput;
    private int mNeededSamples;

    public CropProcessor(float paramFloat1, float arg3)
    {
      this.mLowestInput = paramFloat1;
      Object localObject;
      this.mHighestInput = localObject;
      this.mNeededSamples = 0;
    }

    public float getFiltered(float paramFloat)
    {
      if ((this.mLowestInput != this.mLowestInput) || (this.mHighestInput != this.mHighestInput))
      {
        this.mLowestInput = paramFloat;
        this.mHighestInput = paramFloat;
        this.mNeededSamples = 400;
        Toast.makeText(PressureCooker.this.mContext, 2131624111, 1).show();
      }
      float f1;
      if (paramFloat < this.mLowestInput)
      {
        this.mLowestInput = paramFloat;
        f1 = (paramFloat - this.mLowestInput) / (this.mHighestInput - this.mLowestInput);
        if (f1 <= 1.0F)
          break label152;
        f1 = 1.0F;
      }
      while (true)
      {
        if (this.mNeededSamples > 0)
        {
          this.mNeededSamples = (-1 + this.mNeededSamples);
          float f2 = this.mNeededSamples / 400.0F;
          f1 = 0.01F * f2 + f1 * (1.0F - f2);
        }
        return f1;
        if (paramFloat <= this.mHighestInput)
          break;
        this.mHighestInput = paramFloat;
        break;
        label152: if (f1 < 0.0F)
          f1 = 0.0F;
      }
    }
  }

  private class LowpassProcessor extends PressureCooker.CropProcessor
  {
    private static final float LOWPASS_RATE = 0.1F;
    private float mOldVal = (0.0F / 0.0F);

    public LowpassProcessor(float paramFloat1, float arg3)
    {
      super(paramFloat1, localObject);
    }

    public float getFiltered(float paramFloat)
    {
      if (this.mOldVal != this.mOldVal)
        this.mOldVal = paramFloat;
      for (float f = this.mOldVal; ; f = this.mOldVal)
      {
        return super.getFiltered(f);
        this.mOldVal = (0.9F * this.mOldVal + 0.1F * paramFloat);
      }
    }
  }
}

To make things even more weird it’s not reference or used anywhere!

Seriously. It’s just a random class that’s never actually used anywhere:

Not sure what to think about this, I’ve put it here to see if anyone else reverses the Snapchat app and Googles this code ;). If you are reversing the code and have more info please let me know in the comments or personally as I’m interested as to why this is here at all.

Until next time,

-mandatory

So I recently had a good idea (probably in the shower).

One of the biggest issues when trying to penetrate a network is getting past the perimeter. The outside is almost most protected and if you had an internal user hacked you’d be well on your way to full compromise.

The normal idea here is usually to utilize spear phishing or attempt to get a user to click a link to a browser autopwn page, etc. Sadly, most people aren’t too keen on clicking random links they get in emails.

I started to think what email links do I click on? More specifically what links do I click on from users I don’t already know?

Spam.

Yes, spam, and you probably do as well. I’m not talking Viagra ads, I’m talking the newsletters I’ve been signed up for (that I clearly never signed up for). Having a popular email address (mandatory et gmail) I often get subscribed to a lot of random newsletters. What do you do when you get a lot of newsletters? You click the unsubscribe link. Usually it’s just one click and your unsubscribed, so why wouldn’t you click it?

I hate all you people who use “mandatory” as fake email address.

The idea is literally to spam your users with newsletter emails, eventually they will get fed up with them and click the unsubscribe link. Even better, you don’t have to pretend to be anyone they trust so their is no research that needs to be done. Just spam and wait for them to unsubscribe.

Some issues with this method:

  • Gmail users might just filter your emails straight to spam (just make more newsletters mwuahaha)
  • Creating newsletters that look legit (I’d personally just clone another newsletter)
  • Admins will quickly start marking your emails as spam
  • Cat facts are not a viable newsletter anymore

Personally I think it’d be a lot more effective if you made the unsubscribe link large/noticeable. It’d be even better if you actually didn’t stop sending them the newsletters – forcing non-techy users to forward the emails to the IT guys.

I think you see where this is going…

Even further if you made the newsletters embarrassing it might make the users even more inclined to click the unsubscribe link (porn sites/dating sites/etc). Other ideas I had include making the unsubscribe link an email and perhaps force users to display images so you can get their IP, etc. Perhaps even having an email that says to reply to the email with an unsubscribe link for simple email client fingerprinting…

To end, I’m surprised I haven’t read about this idea before! It seems so simple :)

TL;DR: Spam, Click, Pwn

Till next time,

-mandatory

The beginning of the Web 200 problem for the Sharif University CTF Quals started with a screen like this:

Selection_002

 

So it’s a hybrid login/sign-up form, probably due to the fact that coding two pages is a lot of work for a temporary CTF.

Once you’ve logged in you are presented with a website like so:

Selection_003

 

Ah, I love the smell of weird input in the morning.

Selection_005

 

Ooh, and there is the flag we are looking for!

We have the ability to create new “items” as well, let’s try that out.

Selection_004

 

Once we’ve added the item we are shown this:

Selection_006

So we can delete or view the “item” we’ve added, let’s checkout what’s under “View”.

 

Selection_007

 

Neat, what’s the URL look like decoded?

Selection_008

 

 

Ooh! Looks like they are including a file with the path name in the URL!

Let’s modify that a bit and see what happens.

Selection_009

 

Interesting, this looks like a local file inclusion vulnerability? But is it?

 

Selection_011

 

After putting that URL in your browser you get this as output:

Selection_012

 

Neat! So you can now see the PHP source code of any files inside of the root web directory!

So I’d just like to say something here, I spent literally 2 hours banging my head to beat the above piece of code. I was so sure you had to beat the security measures by reading some configuration file!

Spoiler alert: That’s not the vulnerability you’re exploiting at all.

 

Before you continue reading, try practicing by looking through the mirrored PHP code below for vulnerabilities:

The main page for logging in: http://thehackerblog.com/ctf_content/sherif/index.php.html

The page that allows us to view the source of pages: http://thehackerblog.com/ctf_content/sherif/getfile.php.html

The panel page that lets you view your items/other items: http://thehackerblog.com/ctf_content/sherif/panel.php.html

See if you can find the answer yourself, else continue on reading.

Let’s try reading another file shall we?

Selection_010

Selection_020

 

 

 

Long story short, their SQL looked clean, their wasn’t anything to obvious until I saw this:

Selection_021

 

Getting closer to the answer? Notice how after you create an account it does this:**

**

Selection_014

 

So hopefully you’ve got a whiff of what’s bad about this but in case you haven’t, this is how registration works:

  1. Username is checked to ensure it’s not “admin”
  2. Username and password are checked to ensure nobody else is using them
  3. If they don’t exist then it registers them
  4. After it has registered you, the program removes tab characters from your username.
  5. The cookies are then generated, the “auth_user” is your username and the “auth_hmac” is your username HMAC MD5 hashed with a secret $hmackey
  6. You are then redirected to the panel page to view/create items.

So what if my name was “admin[TAB]”?

  1. Username is checked to ensure it’s not “admin”, which it isn’t (it’s “admin[TAB]”)
  2. The username is checked to ensure nobody else has used it (which it hadn’t been, the CTF people probably made sure of this)
  3. Since “admin[TAB]” wasn’t registered it was created in the database
  4. My username was then stripped of the tab characters, meaning my username is now just “admin”
  5. My cookies are now generated, using HMAC MD5 with my username “admin” and the secret $hmackey
  6. I’m then redirected to the panel page.

Neat, let’s try it!

Selection_015

 

Tamper Data Firefox Addon

Tamper Data Firefox Addon

Let’s just grab a tab character…

Selection_017

And put it after my username…

Selection_018

Notice the tab character after “admin” for my username

After submitting it, we get this:

Selection_019

I like the look of that! Come on baby, let’s see an admin account!

Selection_020

Perfect, we were authenticated as admin and can now view the flag!

Selection_021

 

Woohoo!

Selection_022

Ah, no better feeling

 

I also will include the other things I tried (just in case it’s helpful to anyone):

  • Tried to brute-force the secret key (because I had the algorithm + my username)
  • Thought their was a way to somehow to read the credentials.php file