CSAW CTF 2013: Web200 writeup

Nevernote - 200 Points @ https://ctf.isis.poly.edu/challenges #

from: Nevernote Admin < **nevernoteadmin@nevernote.com** >
to: challenger@ctf.isis.poly.edu
date: Thurs, Sep 19, 2013 at 3:05 PM
subject: Help

Friend,
Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.

Thanks,
Nevernote Admin

Solution #

  1. Visit URL http://128.238.66.214 as instructed
  2. Login via SQL injection with username/password 'OR''='
  3. Using the given hint that ‘Admin’ always checks links, setup a script (I used PHP) somewhere on a public-facing server to capture the superglobals, esp. $_REQUEST, $_GET, $_POST & $_FILES, before sending a message to the Admin’s email address via the system itself
  4. One of these variables (challenge is no longer accessible at the point of this writeup to verify precisely which) contains the requesting URL, which you should be sufficiently curious to explore by clicking through (IIRC it’s of the form http://challenge-url/?enc=XXX)
  5. The flag/key is found in the contents of that message at the link captured
  6. Profit!
 
96
Kudos
 
96
Kudos

Now read this

OSX 10.9 Intel Reverse Engineering Tutorial (adapted)

Toolkit to get started # gcc 4.9 + gdb 7.6 w/ ~/.gdbinit (or clang 5.0/llvm 3.3 + lldb 300.2.51) decent hex editor: 0xEd/Hex Fiend (gui) or od, chex, hexdump/hexedit (cli) diagnostics: otool/XCode, file, strings; inspect universal binary... Continue →