From 10ab7d6f4de1842919efc25916212663735b4cde Mon Sep 17 00:00:00 2001
From: Christoph Werner <christoph@chrztoph.com>
Date: Thu, 2 Jan 2020 15:38:25 +0100
Subject: [PATCH] Add hxp 36C3 CTF writeup

---
 writeups/chrztoph/hxp36C3CTF.md | 175 ++++++++++++++++++++++++++++++++
 1 file changed, 175 insertions(+)
 create mode 100644 writeups/chrztoph/hxp36C3CTF.md

diff --git a/writeups/chrztoph/hxp36C3CTF.md b/writeups/chrztoph/hxp36C3CTF.md
new file mode 100644
index 0000000..cf3ea8b
--- /dev/null
+++ b/writeups/chrztoph/hxp36C3CTF.md
@@ -0,0 +1,175 @@
+# hxp 36C3 CTF
+
+## Challenge 1337 skills
+
+Time: about 4h (with all the Android stuff setup maybe more) without writeup
+
+### Task description
+
+```
+Itâs too hard to gain all 1337 h4x0r skills required by nowadays CTFs ._.!
+I am glad a friendly hacker told me about an App he got during a (growth) hacking course.
+Sadly, he didnât wrote down any activations codes.
+
+Ready for your hacking exam?
+
+Connection:
+nc 88.198.154.132 7002
+```
+
+### Overview
+
+So we are given a server we can connect to and on clicking on `App` in the task description we are redirected to the website `https://play.google.com/store/apps/details?id=com.progressio.wildskills`. Our goal is to find activation codes.
+
+### Exploitation
+
+After connecting to server we are asked to enter an activation code. Entering a random number results in `:(` and when entering a letter the server just closes the connection. So I tried to analyze the Android app. I downloaded the app by using https://apkcombo.com/en-at/apk-downloader/.
+
+I then started the app on my AVD and was asked for an activation code. After entering some text and clicking activate the message "UngÃ¼ltiger Aktivierungscode" was shown. I decompiled the app with `jadx` and searched for this string in the source code.
+
+I found the text inside the function `activateApp` where the following code
+can be found:
+
+```
+Calendar instance = Calendar.getInstance();
+if (i == ((int) (Math.pow((double) (instance.get(3) * instance.get(1)), 2.0d) % 999983.0d))) {
+    ...
+}
+```
+
+I created a new Java application and ran the code
+
+```
+Calendar instance = Calendar.getInstance();
+int x = ((int) (Math.pow((double) (instance.get(3) * instance.get(1)), 2.0d) % 999983.0d));
+System.err.println(x);
+```
+
+to get the activation code `76429`. The code might be different depending on the date.
+After entering the correct activation code the server responds with the following:
+
+```
+Activation code:
+76429
+activated!
+Sales activation code:
+```
+
+So we need to get a sales activation code. Entering the code also works in the app. Clicking on the the two arrows in the upper right corner opens a menu with an option `Sales`. Clicking on it opens another windows where you are asked to entern an sales activation code. Enter a wrong value shows again the same message "UngÃ¼ltiger Aktivierungscode".
+
+There are multiple places where this message is shown but I went with the function `courseActivation` because the title of the screen says "AKTIVIERUNGSCODE FÃR KURS EINGEBEN". From the three strings that are compared only the string `sgk258` worked.
+
+The server responds with the following:
+
+```
+Activation code:
+76429
+activated!
+Sales activation code:
+sgk258
+activated!
+Leadership activation code:
+```
+
+I followed the same procedure for the leadership code as for the sales activation code and found out that the code `wmt275` works. The server now responds with:
+
+```
+Activation code:
+76429
+activated!
+Sales activation code:
+sgk258
+activated!
+Leadership activation code:
+wmt275
+activated
+Service Roadmap (SRM) activation code:
+```
+
+So one more time the same procedure as before but this time the code is `udh736`. The server then asks for your name where you can enter anything as seen below
+
+```
+Activation code:
+76429
+activated!
+Sales activation code:
+sgk258
+activated!
+Leadership activation code:
+wmt275
+activated
+Service Roadmap (SRM) activation code:
+udh736
+activated!
+Congratulations please give me your name:
+Chrztoph
+   ______________________________
+ / \                             \.
+|   |                            |.
+ \_ |                            |.
+    | Certificate of Attendance  |.
+    |                            |.
+    |  This is to certify that   |.
+    |                            |.
+    |          Chrztoph          |.
+    |                            |.
+    |        has attended        |.
+    |                            |.
+    | **The baby rev challenge** |.
+    |                            |.
+    |                            |.
+    |                       hxp  |.
+    |                            |.
+    | -------------------------- |.
+    |                            |.
+    |hxp{thx_f0r_4773nd1n6_70d4y}|.
+    |                            |.
+    |   _________________________|___
+    |  /                            /.
+    \_/____________________________/.
+```
+
+The flag is included in the "certificate".
+
+
+
+
+## Challenge WriteupBin
+
+Time: about 8h without writeup
+
+### Task description
+
+```
+Finally (again), a minimalistic, open-source social writeup hosting solution.
+
+Connection:
+http://78.46.216.67:8001/
+```
+
+### Overview
+
+A website is given where we should get the flag from and also the source code of the service is given. It is a simple service where you can post writeups, like writeups and show them to the admin.
+
+### Exploitation
+
+When entering text in the textfied for the writeup an error message is shown, that the text is too short. The writeup must contain at least 140 characters or more. As a first try I tried to enter a simple `<script>alert(1)</script>` but this doesn't work because the website immediately shows `This value seems to be invalid.` So I checked why this is happening. A JS library called Parsley (https://parsleyjs.org/) is used for form validation and I found that the `textarea` contains the following `data-parsley-pattern="[^<>]+"` which means that no `<` and `>` are allowed. So I used Postman for further exploitation of the site.
+
+One thing I noticed when trying to execute a call via Postman is that there is a CSRF token needed named `c`.
+
+By issuing a request to `/add.php` with the content `</code><h1>hello</h1><code>` and the required `c` it is possible to add arbitrary HTML to the website. There is no server-side validation done so by closing the first `<code>` tag and then entering any HTML we are able to add anything to the website. Unfortunately there is a CSP in place:
+
+```
+default-src 'none';
+script-src 'nonce-NzM0NTE5NTc5Y2NhZDQxMg==' https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.0/jquery.min.js https://cdnjs.cloudflare.com/ajax/libs/parsley.js/2.8.2/parsley.min.js;
+base-uri 'self';
+form-action 'self';
+frame-ancestors 'none';
+require-sri-for script style;
+```
+
+So there can't be done much because the CSP blocks all kind of stuff which is interesting for getting the flag.
+
+After setting up the server locally I found that there is an `admin.py` script. This script starts a browser and clicks the element which matches the following selector: `input[@id="like"]` which means it will click an element like this one `<input id="like" />`.
+
+It was clear that the input element is clicked for a reason but I couldn't find any further ways in exploiting this.
-- 
2.43.0