[Juniors CTF 2016] [Web 500 – Crypto-shop] Write Up

Description

You are extremely lucky!
Today we open the first Crypto-shop in Gravity falls http://10.0.192.235:61741/index.php/ and we even made up crypto-currency – gravitycoins!
I invite you to take pat in beta-testing. All we have for now is a file…

Resolution

We arrived on a simple page with:

Gravitycoin price: 140.3
Your cryptocurrency gravitycoin account: 3a2d33d099edd265cbf60f50d91dbb45
Current balance: 0

There was nothing interesting in the source, so we checked our cookies:

gravitycoin=GfOrJn1qakq10R7kBGuOZehJ9gMQLy1%2FcBjLXcrD4%2Bk0BAkAwJB0cvpWmiGHKOd7kGsqCjkKfiKEhool5iLZ0w%3D%3D
wallet=3a2d33d099edd265cbf60f50d91dbb45

The “gravitycoin” cookie was encoded in base64 and urlencoded, but wasn’t interesting in a plain text form.
We searched for a /robots.txt file, and there was one!

User-agent: *
Disallow: /index.html
Disallow: /index.php
Disallow: /rsa.html

We went to the page rsa.html but we were redirected to 403.html. WTF?

By looking the source (using view-source:10.0.192.235:61741/rsa.html) we got the reason, there was a redirection in JavaScript:

<script type="text/javascript">

location.replace("http://10.0.192.235:61741/403.html");

</script>

-----BEGIN PUBLIC KEY-----<br>
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMUxrqFZ5appjJI7Yf8TDVpy3ITYzh9s<br>
CTflAdameod0AtdQ5QCAVCpFi1ZLe5ZvwNwIlsEdTDEqfi2CH8Ylf9cCAwEAAQ==<br>
-----END PUBLIC KEY-----

A public key? What was it doing here? We saved it to the disk:

cat > publickey 
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMUxrqFZ5appjJI7Yf8TDVpy3ITYzh9s
CTflAdameod0AtdQ5QCAVCpFi1ZLe5ZvwNwIlsEdTDEqfi2CH8Ylf9cCAwEAAQ==
-----END PUBLIC KEY-----

We tried to encrypt a digital value using it:

echo '1337' | openssl rsautl -encrypt -pubin -inkey publickey | base64 | tr -d '\n'
McS+9wfQQNi7VuoXx+XNAMMZFAiiW51bz2tc4f8sRYJAtTVZPHnasF9S8JFr8v16vsA8ZYzlwbdMSIWEsRPcQA==

And… Still 0 in the balance 🙁

But wait, when using echo it appends a “\n” (carriage return), we must add the -n flag!

echo -n '1337' | openssl rsautl -encrypt -pubin -inkey publickey | base64 | tr -d '\n'
bB5NmZqQhqhv2EYbBkikcwqEdim+Gt1RFeC97gB2s9AtmCnwX3aBpmkO83mClp9zPdUqubRqUB9nlTG3bCxibg==

Urlencoded form:

bB5NmZqQhqhv2EYbBkikcwqEdim%2BGt1RFeC97gB2s9AtmCnwX3aBpmkO83mClp9zPdUqubRqUB9nlTG3bCxibg%3D%3D

We modified the cookie “gravitycoin” with this value and refreshed the page:

Gravitycoin price: 140.3
Your cryptocurrency gravitycoin account: 3a2d33d099edd265cbf60f50d91dbb45
Current balance: 1337

Enough to buy the flag! 🙂

Flag was Stan_creator_6fsd%hjaB56_gravitycoins

Leave a Reply

Your email address will not be published. Required fields are marked *