티스토리 뷰

CTF (Git으로 이사 예정)

[CODEGATE2015] Owltube - Web (400 Point)

do9dark 2015. 3. 16. 10:08



 □ description

==========================================

You're welcome to betatest our new social media site, it's going to be the next big thing.


Server : http://54.64.164.100:5555/

Script : http://binary.grayhash.com/2a0182588cf5550cebb49876d94c7a2f/index.py


- option : please check the notice board.

==========================================


http://54.64.164.100:5555/


http://binary.grayhash.com/2a0182588cf5550cebb49876d94c7a2f/index.py

#!/usr/bin/python
 
from flask import *
import json
import pymongo
from Crypto.Cipher import AES
from Crypto import Random
from secret import SECRET_KEY
 
NAME = "Owltube"
 
app = Flask(NAME)
app.debug = False
#app.debug = True
 
app.secret_key = SECRET_KEY
 
defaultvids = []
 
defaultvids.append({"title""Barn owl vs cat""vid""pZ4ffqXg6RA"})
defaultvids.append({"title""Owl vs dog""vid""NJlyMFCX9CA"})
defaultvids.append({"title""Singing owl""vid""fppKGJD3Y6c"})
 
@app.before_request
def before_request():
    g.db = pymongo.Connection("mongodb://127.0.0.1").owltube
    g.user = None
 
@app.teardown_request
def teardown_request(exception):
    if hasattr(g, 'db'):
    g.db.connection.close()
 
BS = AES.block_size
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) 
unpad = lambda s : s[0:-ord(s[-1])]
 
def get_cookie():
    cookie = request.cookies.get("auth")
    if not cookie: return None
 
    cookie = cookie.decode("base64")
 
    iv = cookie[:BS]
    cookie = cookie[BS:]
    aes = AES.new(SECRET_KEY, AES.MODE_CBC, iv)
    cookie = aes.decrypt(cookie)
    cookie = unpad(cookie)
 
    cookie = json.loads(cookie)
 
    return cookie
 
def set_cookie(resp, cookie):
    cookie = json.dumps(cookie)
 
    iv = Random.new().read(BS)
    aes = AES.new(SECRET_KEY, AES.MODE_CBC, iv)
    cookie = pad(cookie)
    cookie = iv + aes.encrypt(cookie)
    cookie = cookie.encode("base64")
    cookie = cookie.replace("\n""")
 
    resp.set_cookie("auth", cookie)
 
def is_logged_in():
    cookie = get_cookie()
 
    if not cookie: return False
 
    user = g.db.users.find_one(get_cookie())
 
    if not user: return False
    g.user = cookie
 
    return True
 
 
@app.route("/")
def index():
    if is_logged_in():
        videos = []
        for i, vid in enumerate(g.db.videos.find({"user": g.user["u"]})):
            vid["num"= "%u" % (i+1)
            videos.append(vid)
 
        resp = render_template("main.html", videos=videos)
    else:
        resp = render_template("landing.html")
    return resp
 
@app.route("/login", methods=['POST'])
def login():
    u = {}
    u["u"= request.form.get("user")
    u["pw"= request.form.get("pw")
 
    user = g.db.users.find_one(u)
 
    resp = make_response(redirect(url_for('index')))
 
    if user:
        set_cookie(resp, u)
    else:
        flash("Login failed")
 
    
    return resp
 
@app.route("/register", methods=['POST'])
def register():
    u = {}
    u["u"= request.form.get("user")
    u["pw"= request.form.get("pw")
    u["email"= request.form.get("email")
 
    if g.db.users.find_one({"u":u["u"]}):
        flash("Username taken")
    else:
        g.db.users.insert(u)
 
        for vid in defaultvids:
            vid["user"= u["u"]
            g.db.videos.insert(vid)
 
        flash("Registered")
 
    return make_response(redirect(url_for('index')))
 
 
@app.route("/logout")
def logout():
    resp = make_response(redirect(url_for('index')))
    resp.set_cookie("auth""")
    return resp
 
@app.route("/addvid", methods=['POST'])
def addvid():
    if not is_logged_in():
        return make_response(redirect(url_for('index')))
 
    vid = {}
    vid["title"= request.form.get("title")
    vid["vid"= request.form.get("vid")
    vid["user"= g.user["u"]
 
    g.db.videos.insert(vid)
 
    return make_response(redirect(url_for('index')))
 
if __name__ == "__main__":
    if app.debug:
        app.run()
    else:
        from tornado.wsgi import WSGIContainer
        from tornado.httpserver import HTTPServer
        from tornado.ioloop import IOLoop
 
        http_server = HTTPServer(WSGIContainer(app))
        http_server.listen(5555)
        IOLoop.instance().start()
 
cs




ID : guest

PW : guest

Mail : guest@guest



guest 로그인



auth : "2sbyYhvi5DrDHB7IQ9ybEatL5fpc/1xU6HPf/Y8XVNmUEseo1dG7Eykn/ThohNjQ"

auth : KLaiP89ovFgwWbMQZUtF8yvs5yTRReFe5JBdhclL4CMCjYAWh9zcFFT1VH9MNqwo

auth : "F/BU95/bj+CmXiT4F22lABHqvDooQ51w4+gbc2zKVzKrY7lTubOIP8lXpBfTcq+A"


위와 같이 쿠키 값이 계속해서 변경이 되지만 다른 사용자로 로그인해서 guest 쿠키 값으로 변경하면 guest로 로그인이 된다.

즉, 인증 메카니즘이 쿠키 기반인 것을 알 수 있다.


AES CBC(Cipher Block Chaining)

Byte flipping Attack


auth(cookie)

{"u":"admin"}\x03\x03\x03

auth : 2zSNdk462MFkrqqwXK1Uut9d81nyZ7RGbV2q7PDX4uo=






flag : th3_0wls_are_w4tching

flag : the_owls_are_watching_again


'CTF (Git으로 이사 예정)' 카테고리의 다른 글

[SSCTF] Up!Up!Up! - Web (100)  (0) 2016.03.01
[SharifCTF] technews - Web (200)  (0) 2016.02.09
[SharifCTF] PhotoBlog - Web (100)  (0) 2016.02.09
[32C3] ITD - Web (150)  (0) 2016.01.19
[32C3] Sequence Hunt - Web (200)  (0) 2016.01.13
[32C3] Kummerkasten - Web (300)  (0) 2016.01.12
[32C3] TinyHosting - Web (250)  (0) 2016.01.11
[32C3] MonkeyBase - Web (200)  (0) 2016.01.07
[32C3] forth - Pwn (150)  (0) 2016.01.03
[CODEGATE2015] Owlur - Web (200 Point)  (0) 2015.03.16
공유하기 링크
댓글
«   2024/11   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
링크
공지사항
Total
Today
Yesterday