What is the best way to begin a blog? with a write up of course!
So, I participated at Hacklu 2013, but I only managed to solve 4 challenges, Web 200, Reverse 150 and 400. The challenges were very funny, I'm just sorry for wasting a lot of time on web 150 without figuring out the solution (SQL injection in basic authentication!?! The Horror!).
So here is my wirte up for web 200, very easy challenge in my opinion, but still funny!
So at first we are presented with this web page:
Just an image and an input box with a button: insert a key, display "wrong answer".
First things first, let's look at HTML code:
As you can see, we have a form which, upon the click of the button, will do a POST request to /gimmetv with a key, and a nice little script below called key.js.
Let's take a look at the script then:
The script add a listener on the submit, and will send our AJAX request to the server, receiving a JSON containing a "success" field. The most interesting thing here is obviously the xhr.send function, which has a commented &debug parameter.
Doing the same request with the debug parameter will give us the same response with two new fields, "start" and "end". Looks like a timing attack!
Sending the same request with different letters/numbers and looking at the value end-start we can see how this value will almost be the same for all the letters but one, which will have a significant 0.1 difference from the others.
Things are natural then, let's write a small python script in order to accumulate this value up to the point where "success" is true, and look at the response.
This code is not the most performing one, as It does not stop upon the 0.1 threshold (I wanted to be sure to take the maximum, I didn't care too much about its speed) and it checks also for punctuation characters (same reason, I wanted to be sure to get the right result)
In a matter of seconds we have the solution, in the "response" parameter of the JSON response we see "OH_THAT_ARTWORK!"
Maybe this challenge was too easy for 200 points, I expected to have something obfuscated (as far as I remember last year every javascript code was obfuscated), but still, a nice 5 minute exercise!
I created a github repo where you will find:
the writeup
the solver in python
a server which replicate (more or less) the same behavior as the original one so that you can replicate the challenge!
Enjoy!
No comments:
Post a Comment