Networking challenges for CSAW CTF 2012 reminded me of classic PCAP diving, and this one proved to be no different.
lemieux.pcap
Some dude I know is planning a party at some bar in New York! I really want to go but he's really strict about who gets let in to the party. I managed to find this packet capture of when the dude registered the party but I don't know what else to do. Do you think there's any way you can find out the secret password to get into the party for me? By the way, my favorite hockey player ever is mario lemieux.
Digging through the PCAP showed a lot of standard network traffic: HTTP, DNS, UPNP, DLNA, HTTPS, etc. Where to start? Since the user supposedly registered for a party, the likely candidate is some sort of HTTP transaction. Setting a Wireshark filter for "http" still yields A LOT of traffic. Using tshark, NetworkMiner, etc we can see which URLs are being requested.
tshark -r lemiuex.pcap -R "http" -Tfields -e http.host
This reduces the possibilities, but isn't the cleanest. Luckily, the last few lines show a server or "taproom307.com". Now that's an establishment I've heard of. If the user did register, there's hopefully a HTTP POST associated with it. Let's narrow our search:
tshark -r lemiuex.pcap -R 'http.request.method == "POST" and http.host == "www.taproom307.com"'
Yup. Since I'm lazy, I fired up the same request in Wireshark to view the actual HTTP contents. One of the POSTs shows a message being sent with a 'key phrase' of "brooklyn beat box".
Sunday, September 30, 2012
CSAW CTF 2012 - Web 100
Ahh, a simple Web attack problem:
[URL FROM GAME]
Lara Anderton needs to break into PreCrime to free her husband, but they just installed a fancy new security system. Help her break into it!
Browsing to the website presented a simple username/password form. Exploiting web sites presents many different avenues when looking at a black box (aka no source). First? Look at the HTML presented to the user's web browser. In this case, nothing stands out. Next step? Maybe try some blind SQLi? How about watching the traffic from the browser?
Firing up Wireshark showed that web browser was given a plaintext cookie with the active username, and a field called auth which was set to 0. I think we just found our avenue. There are mutliple ways of manipulating the HTTP headers, but in this case I used Burp proxy since I had it lying around.
When the browser sent over the next request, using the Intercepting Proxy, I modified the Cookie to "auth=1;user=admin" and the following response had the key response: "c4ca4238a0b923820dcc509a6f75849b".
[URL FROM GAME]
Lara Anderton needs to break into PreCrime to free her husband, but they just installed a fancy new security system. Help her break into it!
Browsing to the website presented a simple username/password form. Exploiting web sites presents many different avenues when looking at a black box (aka no source). First? Look at the HTML presented to the user's web browser. In this case, nothing stands out. Next step? Maybe try some blind SQLi? How about watching the traffic from the browser?
Firing up Wireshark showed that web browser was given a plaintext cookie with the active username, and a field called auth which was set to 0. I think we just found our avenue. There are mutliple ways of manipulating the HTTP headers, but in this case I used Burp proxy since I had it lying around.
When the browser sent over the next request, using the Intercepting Proxy, I modified the Cookie to "auth=1;user=admin" and the following response had the key response: "c4ca4238a0b923820dcc509a6f75849b".
Subscribe to:
Posts (Atom)