From 716bdade7050eaa8fca53e6e91bc06d247771d3a Mon Sep 17 00:00:00 2001
From: schwain <stefan.aschauer@gmail.com>
Date: Mon, 20 Jan 2020 00:30:06 +0100
Subject: [PATCH] added tasteless19 writeup
---
writeups/saschauer/tasteless19.md | 51 +++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 writeups/saschauer/tasteless19.md
diff --git a/writeups/saschauer/tasteless19.md b/writeups/saschauer/tasteless19.md
new file mode 100644
index 0000000..88f7721
--- /dev/null
+++ b/writeups/saschauer/tasteless19.md
@@ -0,0 +1,51 @@
+# rgb
+After browsing through a few challenges i decided to try my luck at this stego challenge.
+
+This was a three part challenge: R, G, and B. So we had to find three flags in one .pcapng file.
+
+The capture contained an http request and an answer that transferred a png image.
+I tried analyzing the image with various stego tools, but didn't really get anywhere.
+
+After some time i was getting kind of frustrated, so i decided to move on.
+
+# web-timewarp
+The challenge description read:
+```
+!!! challenge will shutdown at approx 01:30 UTC !!!
+
+If you haven't solved it until then, we don't think you'll be able to do it.
+```
+
+An important detail to know is that, on the day of the daylight savings time change. This meant that at 03:00 the time changed back to 02:00.
+
+The landing page linked to two endpoints /token and /timewarp:
+`go <a href="/token">grab a token</a> and <a href="/timewarp">let's dance</a>!`
+Clicking on the first endpoint generates a token, which can then be submitted at the second endpoint.
+Unfortunately, if one tries to submit a newly generated token, it's already invalid:
+`oh no! too slow! your token is not valid anymore :(`
+
+An token looked like this: `Z2l2ZUZsYWcvRXVyb3BlL0Jlcmxpbg==.U2F0IE9jdCAyNiAxNzoxNDo1NCAyMDE5.lKr4zkB4W0V9VZBnLLyT5ucqp0lCZxMpWEmZRPoZpKlmMHuXcBOg7Aeu6wJClpwYLNJCw_NmzBP6uVDSDyARAw==`
+These turned out to be 3 base64 encoded values separated by a `.`
+`giveFlag/Europe/Berlin.Sat Oct 26 17:14:54 2019.@x[E}Ug,*IBg�)XID�f0{p���B�,Bٳ�T4�@`
+or more general:
+`giveFlag/<server location>.<timestamp>.<some hash>`
+
+If we tried to change location or timestamp, the server responded with:
+`oh no! what happened to your integrity?`
+
+It seemed that the challenge was a bout somehow crafting a token, that was valid for long enough to actually be submitted, while still passing the servers integrity checks.
+
+At this point i realized that the challenge description stated, that the challenge would shut down at 01:30 UTC, or 2:30 CET. This made sense, as it would be trivial to solve this challenge right after the time change. Just generate a token before it happens and it is valid for up to almost an hour. This would be way to easy, right?
+
+What followed was a lot of time trying to figure out what kind of hash function could generate a valid token, if changing regions/submitting requests via proxys/etc. would change any parts of the token and could be abused somehow. All in vein.
+
+I had to leave before the time to solve this challenge had come, but in the end we kinda had found the solution quiet at the beginning of our investigations.
+We could abuse the time change to generate a token that was valid for long enough.
+When thinking about this during the ctf, i kinda ruled out the possibility of this, due to the challenge description stating that the challenge would shut down at 2:30.
+In fact i think it did actually shut down around that time, when it came around for the second time that day.
+# Retrospective
+All in all, i enjoyed the ctf quiet a lot, although i didn't really contribute a lot.
+Both challenges were kinda frustrating, but i still had some fun working together on the challenges.
+
+
+
--
2.43.0