From 10bc971d461d841c6861afee460eb48645ebf3ac Mon Sep 17 00:00:00 2001
From: chgue <chris.gue@gmx.at>
Date: Sun, 8 Dec 2019 14:15:40 +0100
Subject: [PATCH] Update old writeups, add ctfzone writeup.

---
 writeups/chgue/ctfzone19.md   | 97 +++++++++++++++++++++++++++++++++++
 writeups/chgue/seccon19.md    | 11 ++--
 writeups/chgue/tasteless19.md |  2 +
 3 files changed, 106 insertions(+), 4 deletions(-)
 create mode 100644 writeups/chgue/ctfzone19.md

diff --git a/writeups/chgue/ctfzone19.md b/writeups/chgue/ctfzone19.md
new file mode 100644
index 0000000..e696136
--- /dev/null
+++ b/writeups/chgue/ctfzone19.md
@@ -0,0 +1,97 @@
+# Retrospective
+This CTF was not really fun. It felt like _a lot_ of guesswork (at least the web challenges that I attempted).
+
+At first I tried chicken together with @theguy, but the obvious vulnerability did not help us to find anything. Instead we wasted a few hours trying to find a hint in the filesystem. In total I spent about 2 hours.
+
+On the second day I tried to help with bathhouse. @lavish and @smashing already did most of the interesting stuff (SQLi and PDF writer exploitation). It seemed like the challenge is almost done and one just needs to find the next hint in the filesystem (again...). However, I spent around 5 hours finding nothing of interest until @lavish used `dirbuster` to find the next hint... After we had the correct paths it took about 30 minutes to find the next and final hint.
+
+# bathhouse (solved)
+## Overview
+Given is a django-based webpage of a bathhouse. One can book a bathhouse by filling out a form. The form consists of a radio button selector, a hours number field, a phone number fild and a username text field.
+
+##  Exploit
+The username field allows for SQL to be injected. @lavish created a script to run a blind SQLi and found a table called `backup` which contains the columns `username` and `password`. The only row contained `main_admin_user` and `njafnGAJNSGAkn123`. These credentials can be used to login at `http://web-bathhouse.ctfz.one/set_price/`. This page can be found in the `robots.txt` which contains
+
+    User-Agent: *
+    Disallow:/set_price/
+
+When logged in one sees the last request submitted through the booking form including all the given information. Additionally, a number input is given where the admin can set the price for the request. On submission of the price a PDF booking confirmation is generated using `wkhtmltopdf 0.12.1`. Instead of a price one can inject HTML which will be rendered in the PDF. Therefore, it is possible to include JavaScript to read local files.
+
+    <script> 
+        x=new XMLHttpRequest;
+        x.onload=function() {
+            document.write(this.responseText)
+        };
+        x.open("GET","file:///etc/passwd");
+        x.send();
+    </script> 
+
+However, reading directories is not possible. How can one find an interesting file to read? Well after spending hours searchin for the next hint, @lavish found the `http://web-bathhouse.ctfz.one/status/` page by using `dirbuster`.The page has the following contents which hint at interesting directories:
+
+    Status page
+    
+    Web app folder: /opt/project/
+    Submodules: task, calculate
+    
+    Everything works correctly (200)
+
+The project is implemented in a typical django fashion. The next hint is included in `/opt/project/calculate/views.py`. Apart from the other views, the file includes the following comments
+
+    # def sync(request): # Get sync data by http request. #syncData('http://syncdata/sync.html')
+
+Curiously enough, using the above script does not work for fetching `http://syncdata/sync.html`. However, an iframe works
+
+    <div><p>Report Heading</p><iframe src=http://syncdata/sync.html height="500" width="500">
+
+which yields the flag.
+
+# chicken (unsolved)
+## Overview
+Given is a webpage of a chicken farm. One page shows their hens and for every hen there is a link to its passport, e.g. `web-chicken.ctfz.one/File/Download?filename=My50eHQ=`. 
+
+Furthermore, there is a contact page which contains an e-mail `admin@chicken.ctf.zone`. However, sending a mail to it does not work according to @theguy.
+
+Additionally, there is a login form.
+
+## Exploit attempt
+The URL contains the filename in base64 encoding at the end. Any arbitrary path can be read by encoding the path in base64. The website sets the cookie `.AspNetCore.Antiforgery.9TtSrW0hzOs` which confirms that the webpage is created using ASP.NETcore. The directory structure is approximately this:
+
+    /
+        etc
+            passwd
+        ???
+            Passports
+                1.txt
+                2.txt
+                3.txt
+                4.txt
+                5.txt
+            wwwroot
+                css
+                    site.min.css
+                js
+                    site.min.js
+                images
+                    hens
+                        1.jpg
+                        2.jpg
+                        3.jpg
+                        4.jpg
+                        5.jpg
+            Views
+                Auth
+                    Login.cshtml
+                Home
+                    Hens.cshtml
+                Shared
+                    _Layout.cshtml
+                    _CookieConsentPartial.cshtml
+                    Error.cshtml
+                _ViewImports.cshtml
+            appsettings.json
+    
+e.g. `../../etc/passwd` allows one to read `passwd` (which contains nothing interesting).    
+
+Interestingly enough, one cannot read `*.cs` source code files. It seems like that certain files or filetypes are filtered and not readable. Therefore, we cannot read the important part of the website's source code.
+
+After trying to find interesting files for hours we gave up.
diff --git a/writeups/chgue/seccon19.md b/writeups/chgue/seccon19.md
index dad8d15..560289d 100644
--- a/writeups/chgue/seccon19.md
+++ b/writeups/chgue/seccon19.md
@@ -4,6 +4,8 @@ Sadly, I didn't notice that the event ended early Sunday since I wanted to do a
 
 All in all it was interesting but in my opinion the CTF wasn't as fun as other CTFs in the past since it kinda seemed a bit reliant on guesswork (Sandstorm: Hinted (for me unknown) algorithm in the image, ZKPay: crypto but no source).
 
+Time spent: ~10 hours total (I don't remember the breakdown exactly)
+
 # Option-Cmd-U (Successfully sovled by a teammate)
 ## Overview
 The enables one to view the pagesource of an http webpage. The flag is located at `\flag.php`, however it is only accessible on the local network.
@@ -37,12 +39,13 @@ On a second look it became apparent that `idn_to_ascii` is used twice, however d
 This seemed to hint at a potential attack vector.
 
 Thus, I tried to trigger `Oops, are you a robot or an attacker?`. After lots of trial and error I found the rather obvious solution `http://nginx`.
-Consequently, I tried various UTF-8 characters, such as `http://nginxä/flag.php` which bypassed the filter but resulted in errors as it was parsed as `xn--http://nginx/flag-1qb.php` (aka as Punycode).
+Consequently, I tried various UTF-8 characters, such as `http://nginxä/flag.php` which bypassed the filter but resulted in errors as it was parsed as `xn--http://nginx/flag-1qb.php` (aka Punycode).
 I had at look at the PHP sourcecode to find out if one could discard the `xn--` part by tricking the parser somehow but it didn't seem possible, especially since the `scheme` is checked at first.
 Next, I tried `http://nginxß/flag.php` which was parsed as `http://nginxss/flag.php` so some unicode characters did not result in punycode starting with `xn--` but were converted to ASCII.
 
-After not finding any fitting UTF-8 characters I gave up and tried different challenges. However, @smashing later solved it by further using some obscure features of `file_get_contents`. 
-A host starting with `@` works in `file_get_contents` and that there exists a UTF-8 character that is parsed to `@`. Thereby bypassing the check and but still being parsed correctly by `file_get_contents`.
+After not finding any fitting UTF-8 characters I gave up and tried different challenges. However, @smashing later solved it by using some obscure features of `file_get_contents`. 
+A host starting with `@` is accepted by `file_get_contents` and there exists a UTF-8 character that is parsed to `@`. Thereby bypassing the check and but still being parsed correctly by `file_get_contents`.
+The final payload was `http://ocu.chal.seccon.jp:10000/index.php?url=http%3A%2F%2F%EF%B9%ABnginx%2Fflag.php`.
 
 # ZKPay (Unsuccessful)
 ## Overview
@@ -65,7 +68,7 @@ First, I used the software barcode reader `zbar` to read some QR codes that I ge
 One can get the `hash` of the admin by clicking on the name of the admin in the transaction overview. Therefore, I thought one should generate a proof for the admin to transfer the money. 
 However, as there was no sourcecode and crypto challenges are often times pretty hard without the right knowledge I gave up. 
 
-Later it turned out that they (probably) had an error in their challenge and one could just send a negative value from ones account to another and therby increase the balance of the first account `(balance - (-100000000)`...
+Later it turned out that they (probably) had an error in their challenge and one could just send a negative value from ones account to another and therby increase the balance of the first account `(balance - (-100000000)`..
 
 # SECCON_multiplicater (Unsuccessful)
 ## Overview
diff --git a/writeups/chgue/tasteless19.md b/writeups/chgue/tasteless19.md
index c585047..1eed92e 100644
--- a/writeups/chgue/tasteless19.md
+++ b/writeups/chgue/tasteless19.md
@@ -6,6 +6,8 @@ All in all he CTF was nice and a great learning experience but a bit short for t
 
 The gabbr writeup was written together with @sumhack and is therefore identical to his writeup.
 
+Time spent: 5 hours for gabbr, 1 hour scouting other various challenges
+
 # Tasteless CTF 2019 — gabbr (web)
 ## Overview
 gabbr is an online chatroom service. Upon loading the page, one joins a chatroom specified in the anchor part of the URL e.g. `https://gabbr.hitme.tasteless.eu/#8f332afe-8f1d-411f-80f3-44bb2302405d`. If no name is specified, a random UUID is generated upon join. The main functionality is to send messages in the chatroom. Furthermore, one can change the username to another randomly generated one, join a new random chatroom and report the chatroom to an admin. Upon reporting an admin joins the chat and stays in the room for 15s. Additionally, the chatroom is based on websockets.
-- 
2.43.0