SiG FSTM

We are SiG FSTM a small community from KUIS. This website will be the place where we share all of our activities!

About Other Community SiG Members

APU Battle Of Hackers CTF 2018 Writeup: Web exploitation level 3

Written by IceM4nn on 16 September 2018

Category : scripting
Title : Web exploitation level 3
Points : 150
Attachment: none

I forgot to write down the question. but let me tell ya about the challenge. They give a link to a page. In that page, it shows number of solves and a long simple mathematics equation. It looks something like this: sig-fstm_repo So, if I send empty data by clicking submit query, nothing will happen except the mathematics equation now changes randomly. Same if I send wrong answer, the number of solves will back to zero not increase any unless I send a correct answer. When correct answer submitted, number of solves increment by one and asks to solve another long random mathematics equation.

If you do this manually by hand (or calculator) it will takes forever to complete this challenge moreover you didn’t know until what number of solves the flag will triggered and you need to watch out not to send wrong answer as this will reset the number of solves back!

I also check if the webpage stores any cookies or running sessions and found that there’s no cookies set and there is a session set in my browser.

By knowing how the webpage works now I know that I need to automated the math problems. So since this in a webpage not in your mathematics exercise book I could write automated script to help my work done quickly.

I choosing to write the script in python. After a few minutes I sucessfully craft my automated script. By running the python script below, I’ll get the flag right away after complete solving 200 math problems. The flag is why_n0t_@ut0m@t3_1t@apuboh2018

#!/usr/bin/env python
import requests
import re

url = 'http://10.112.64.89:8003/' # challenge url
session = requests.Session()

response = session.get(url)
content = response.text

while True:
	try:
		# solves = re.findall('<h1>You solved (.*) problems<h1>', content)[0]
		number =  re.findall('Solve this: (.*)<form', content)[0]

		post_url = url + '/check'
		solution = eval(number)
		post_data = { "solution" : solution }

		response = session.post(post_url, data = post_data)
		content = response.content

		# debug
		# print content
		# print 'number of solves: ' + solves
	except: 
		flag = re.findall('Solve this: (.*)<form', content)[0]
		print 'Found flag!: '+flag
		break

It is simple script and I’m happy doing this challenge.

Extras

I know how the challenge works and if you would like to test it yourself, I made a PHP backend POC code to test out. Note: this backend code is not the original code from the gameserver. I don’t know what they looks like. But since I know a little PHP I tried to replicate it myself and eventually it works just like in the game and thought want to share it with you.

<?php

session_start();
$problems = $_SESSION['PROBLEMS'];
$solved = $_SESSION['SOLVED'];
$solution = $_POST['solution'];
$flag = 'why_n0t_@ut0m@t3_1t@apuboh2018';

if(isset($solution)) { // if post data received
	if ($solution != null) { // if post data is not null
		if (calc($problems, $solution)) { // check if solution is correct
			if ($solved >= 199) {	// check if you have solved 200 maths prob
				$solved++;
				$problems = $flag;
			} else {	// still not solved 200 math prob
				$solved++; // increment solves
				$problems = gen_problems();
				$_SESSION['PROBLEMS'] = $problems;
				$_SESSION['SOLVED'] = $solved;
			}
		} else {	// solution is not correct
			$solved = 0; // start again from zero
			$problems = gen_problems();
			$_SESSION['PROBLEMS'] = $problems;
			$_SESSION['SOLVED'] = $solved;
		}
	} else {	// post data is null
		$solved = 0; // start again from zero
		$problems = gen_problems();
		$_SESSION['PROBLEMS'] = $problems;
		$_SESSION['SOLVED'] = $solved;
	}
} else {	// post data is not received
	$solved = 0; // start again from zero
	$problems = gen_problems();
	$_SESSION['PROBLEMS'] = $problems;
	$_SESSION['SOLVED'] = $solved;
}

print('<!DOCTYPE html><h1>You solved ' . $solved . ' problems<h1><br>Solve this: ' . $problems . '<form action="/check.php" method=post><input type=text name=solution><input type=submit></form>');

function calc($problems,$solution) {
	if (eval('return '.$problems.';') == $solution ) {
		return true;
	} else {
		return false;
	}
}

function gen_problems() {
	$ops = array('+','-','*');
	$problems = '';
	for ($i=1; $i < 10; $i++) { 
		$problems = $problems.rand(1,100).$ops[array_rand($ops)];
	}
	$problems = $problems.rand(1,100);
	return $problems;
}

?>

Copy and paste the code in your web server directory as check.php and index.php and start your webserver. Edit the web address and run the automated script and you get the flag.

Author: Hazmirul Afiq