Hello,

We participated in 29C3 CTF, here is writeup for

pwsaf****e

This website is some kind of password manager.

http://94.45.252.238/

You can register new user, but cannot register “admin”, which is needed to win flag. When you login, a cookie named “session” is created. Cookie looked like

954a33ddafa959cf59247cd21b4cc1630abf1b964ca65062ac36a5ff6f3820f8 2eee490dbb4e835279090356a8da6a15

Orange part is some static md5, uncrackable for me. Green part is your md5($username) and red is md5($ip).

It is obvious we could make cookie for admin user, but we didn’t know IP. There was self-XSS which we tried to exploit (maybe admin read passwords, who knows ^^), but it didn’t work. After few hours we finally got the solution - Apache status page. It was located on  http://94.45.252.238/server-status/, and from there we could get IP of user who requested /admin/ - it was 1.2.3.4

Now, to construct the final cookie;

954a33ddafa959cf59247cd21b4cc16321232f297a57a5a743894a0e4a801fc3 6465ec74397c9126916786bbcd6d7601

static + md5(“admin”) + md5(“1.2.3.4”)

Flag: 29C3_PleasePutAllYourPasswordsHereItIsGood

-Plitvix