From 716bdade7050eaa8fca53e6e91bc06d247771d3a Mon Sep 17 00:00:00 2001 From: schwain Date: Mon, 20 Jan 2020 00:30:06 +0100 Subject: [PATCH] added tasteless19 writeup --- writeups/saschauer/tasteless19.md | 51 +++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 writeups/saschauer/tasteless19.md diff --git a/writeups/saschauer/tasteless19.md b/writeups/saschauer/tasteless19.md new file mode 100644 index 0000000..88f7721 --- /dev/null +++ b/writeups/saschauer/tasteless19.md @@ -0,0 +1,51 @@ +# rgb +After browsing through a few challenges i decided to try my luck at this stego challenge. + +This was a three part challenge: R, G, and B. So we had to find three flags in one .pcapng file. + +The capture contained an http request and an answer that transferred a png image. +I tried analyzing the image with various stego tools, but didn't really get anywhere. + +After some time i was getting kind of frustrated, so i decided to move on. + +# web-timewarp +The challenge description read: +``` +!!! challenge will shutdown at approx 01:30 UTC !!! + +If you haven't solved it until then, we don't think you'll be able to do it. +``` + +An important detail to know is that, on the day of the daylight savings time change. This meant that at 03:00 the time changed back to 02:00. + +The landing page linked to two endpoints /token and /timewarp: +`go grab a token and let's dance!` +Clicking on the first endpoint generates a token, which can then be submitted at the second endpoint. +Unfortunately, if one tries to submit a newly generated token, it's already invalid: +`oh no! too slow! your token is not valid anymore :(` + +An token looked like this: `Z2l2ZUZsYWcvRXVyb3BlL0Jlcmxpbg==.U2F0IE9jdCAyNiAxNzoxNDo1NCAyMDE5.lKr4zkB4W0V9VZBnLLyT5ucqp0lCZxMpWEmZRPoZpKlmMHuXcBOg7Aeu6wJClpwYLNJCw_NmzBP6uVDSDyARAw==` +These turned out to be 3 base64 encoded values separated by a `.` +`giveFlag/Europe/Berlin.Sat Oct 26 17:14:54 2019.@x[E}Ug,*IBg)XIDf0{pB,BÙ³T4@` +or more general: +`giveFlag/..` + +If we tried to change location or timestamp, the server responded with: +`oh no! what happened to your integrity?` + +It seemed that the challenge was a bout somehow crafting a token, that was valid for long enough to actually be submitted, while still passing the servers integrity checks. + +At this point i realized that the challenge description stated, that the challenge would shut down at 01:30 UTC, or 2:30 CET. This made sense, as it would be trivial to solve this challenge right after the time change. Just generate a token before it happens and it is valid for up to almost an hour. This would be way to easy, right? + +What followed was a lot of time trying to figure out what kind of hash function could generate a valid token, if changing regions/submitting requests via proxys/etc. would change any parts of the token and could be abused somehow. All in vein. + +I had to leave before the time to solve this challenge had come, but in the end we kinda had found the solution quiet at the beginning of our investigations. +We could abuse the time change to generate a token that was valid for long enough. +When thinking about this during the ctf, i kinda ruled out the possibility of this, due to the challenge description stating that the challenge would shut down at 2:30. +In fact i think it did actually shut down around that time, when it came around for the second time that day. +# Retrospective +All in all, i enjoyed the ctf quiet a lot, although i didn't really contribute a lot. +Both challenges were kinda frustrating, but i still had some fun working together on the challenges. + + + -- 2.43.0