This writeup is about Defcamp CTF’s Network 200. Again, we get a clue!
That ****ing manager got smarter. He moved to house number 22, but we got this: ****managers.pcap
Profanity aside, house number 22 probably means that the ip address of this challenge is
10.13.37.21. The pcap file contains network traffic of the manager logging in to the page at 10.13.37.21. Upon examination of this page, it seems it generates a nonce. This nonce is to encode the md5 of the password, which it then sent over as GET parameters.
Looking at the pcap file, Swappage quickly identified this:
So we need to reverse this nonce-based encryption to get the md5’ed password of manager. The source of the login page reveals that the nonce is valid for about 100 seconds and the function that is used to generate the encoded password:
1 2 3 4 5 6 7
This threw me off. I thought the nonce and md5 were
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
With a few carefully placed
alert()s, I was able to figure out that the
myxor function takes each hex character of the nonce and the md5. These values are converted to integers and then added together. After a modulus 16 the hex-representation of the result is added to the output.
I wrote a small piece of python to do the reverse operation for me, given the nonce and the encoded md5:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
This returned the md5 of the managers’ password:
cabaf0ddf21df38cbeb77c94a40e4654. Unfortunately, the Mighty Google did not return any hits when searching for it. Who needs it anyway? We have the md5 of the password, all we need to do is to re-encode it with a new nonce and submit it! I refreshed the login page, grabbed the nonce and ran the following piece of python:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
This returned a new, encoded md5 of the password. I copied it and entered
manager:idontcare in the login form. I intercepted this request with TamperData, substituting the new, encoded md5 value for the old one and hit submit. Lo and behold:
Which is the md5 of
youtoo, which thankfully was the proper flag!