Defcamp CTF Quals 2014 - Network 200 – The Manager is back (200pts) writeup

The challenge description was: That fucking manager got smarter. He moved to house number 22, but we got this: fuckmanagers.pcap

First thing to do was visit the new manager's "house" at 10.13.37.22, we are greeted with a login form and there isn't anything really interesting to get from here.

While checking the source of the page we can see at the bottom a small javascript with the following:

$('.hook-submit').click(function(){
  var h1 = md5($('#pass').val());
  var h2 = $('#nonce').val();
  var xor = myxor(h1, h2);
  $('#hiddenpass').val(xor);
  setTimeout(function() { $('#form').submit(); }, 100);
});

When we send a username and password, the password is encrypted to MD5 and run through the method myxor with the token nonce. The result is then sent along with the token for verification on the server side. Sidenote: myxor method is not really the usual xor you would encounter, it keeps boundaries for valid alphanumeric characters.

Analyzing the traffic should give us some interesting hints as to how to solve this one. After downloading the pcap file and opening it in Wireshark we can see the following POST request at the bottom of the list:

POST / HTTP/1.1
Host: 10.13.37.22
Connection: keep-alive
Content-Length: 89
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.13.37.22
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.13.37.22/
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8,ro;q=0.6,ru;q=0.4
Cookie: PHPSESSID=7hnoc09he3vtohslep97fdm8o0

user=manager&nonce=7413734ab666ce02cf27c9862c96a8e7&pass=3ecd6317a873b18e7dde351ac094ee3b

GET /favicon.ico HTTP/1.1
Host: 10.13.37.22
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,ro;q=0.6,ru;q=0.4
Cookie: PHPSESSID=7hnoc09he3vtohslep97fdm8o0

We have the manager user, pass and token POST data. With that precious info in hand we can try and reverse the myxor method to get the real password encrypted in MD5. My teammate rik ( rikaard.blogspot.com ) reversed it in a couple minutes and gave me the MD5:

cabaf0ddf21df38cbeb77c94a40e4654

This is the python script he sent me:

def decrypt(c,n):
	p = ''
	for i in range(0,32):
		c_val = int(c[i],16)
		n_val = int(n[i],16)
        
		if c_val < n_val:
			p_val = 16+c_val-n_val
		else:
			p_val = c_val - n_val
		p += (hex(p_val)[2:])
	return p
print decrypt('3ecd6317a873b18e7dde351ac094ee3b','7413734ab666ce02cf27c9862c96a8e7')

I quickly googled the MD5 to see if it was already listed anywhere and it wasn't. Blame my lack of sleep or my stupidity but I started bruteforcing the MD5 when rik mentioned to me "ee.. man it's client based" and yeah.. silly me. No need to bruteforce anything if you can edit how the password is sent to the server. We can then have a valid token in our session along with a valid MD5 encrypted password. So I edited the script with Firebug and remove the call to the MD5 method:

$('.hook-submit').click(function(){
  var h1 = $('#pass').val();
  var h2 = $('#nonce').val();
  var xor = myxor(h1, h2);
  $('#hiddenpass').val(xor);
  setTimeout(function() { $('#form').submit(); }, 100);
});

I enter the username "manager" and password "cabaf0ddf21df38cbeb77c94a40e4654" and was finally logged in to see the following message:

The secret is behind bb00403ebcbfa0748bcbee426acfdb5b :)

After googling the MD5:

bb00403ebcbfa0748bcbee426acfdb5b : youtoo

We got our flag:

youtoo