HITCON CTF 2014 PY4H4SHER Write-up

PY4H4SHER

Category: Web Points: 200
Description:
http://203.66.14.43/cgi-bin/py4h4sher

通过页面上的Get Source获得如下源码：

#!/usr/bin/python
# coding: utf-8

import os
import re
import sys
import cgi
import hashlib
from urllib import unquote
from passlib.utils.pbkdf2 import pbkdf2

###

sys.path.append('/home/orange/secret_file')
from secret_file import SECRET # 160 bytes secret
from secret_file import FLAG

###

print 'Content-Type: text/html\n\n'

### 

def _pbkdf2(text):
    return pbkdf2(text, 'noggnogg', 1337).encode('hex').lower()

def _md5(text):
    return hashlib.md5( text ).hexdigest().lower()

def getenv(name):
    return unquote( os.environ.get(name) ) or ''

def gotoFail():
    print 'goto fail'
    print
    exit()

def m_hash(password):
    nr = int( 'P0W5'.encode('hex'), 16 )
    add = 7
    nr2 = 305419889

    for c in (ord(x) for x in password if x not in (' ', '\t')):
        nr^= (((nr & 63)+add)*c)+ (nr << 8) & 0xFFFFFFFF
        nr2= (nr2 + ((nr2 << 8) ^ nr)) & 0xFFFFFFFF
        add= (add + c) & 0xFFFFFFFF

    return "%08x%08x" % (nr & 0x7FFFFFFF,nr2 & 0x7FFFFFFF)
###

request = cgi.FieldStorage() 

checksum  = request.getvalue('checksum') or ''
query_str = getenv('QUERY_STRING')
if _md5( SECRET + query_str ) == checksum:
    mode = request.getvalue('mode') or ''

    if mode == 'download':
        filename = request.getvalue('filename') or ''
        filename = os.path.basename( filename )
        try:
            print open(filename).read()
        except IOError as e:
            print 'No such file or directory'
    elif mode == 'eval':
        bad_string = request.getvalue('filename') or ''
        good_string = bad_string.encode('hex')
        eval(good_string)

    else:
        stage1 = request.getvalue('stage1') or ''
        if m_hash(stage1) != '4141414141414141':
            gotoFail()

        ### 
        
        plaintext = getenv('HTTP_USER_AGENT')
        stage2 = request.getvalue('stage2') or ''
        if stage2 == plaintext:
            gotoFail()
        
        if _pbkdf2(plaintext) != _pbkdf2(stage2):
            gotoFail()

        ###

        stage3 = request.getvalue('stage3') or ''
        stage3 = stage3[0]+stage3[1]+stage3[3]+stage3[5]
        if _md5( stage3 ) != '90954349a0e42d8e4426a4672bde16b9':
            gotoFail()

        ###

        print 'Congrat! The flag is', 
        print 'HITCON{%s}' % FLAG

else:
    checksum = _md5( SECRET + 'filename=py4h4sher&mode=download' )
    print """
<!DOCTYPE html>
<html>
<head>
  <meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
  <meta name="author" content="orange@chroot.org">
  <title> PY4H4SHER </title>
  <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">

  <style>
/* 
Inspired by http://dribbble.com/shots/890759-Ui-Kit-Metro/attachments/97174
*/
.out {
    white-space: -moz-pre-wrap;
    white-space: -pre-wrap;
    white-space: -o-pre-wrap;
    white-space: pre-wrap; 
    word-wrap: break-word; /* Internet Explorer 5.5+ */ 
    background-color: white;
    border: 0px;
}

.nav-row {
  text-align: center;
}
.nav-row p {
  padding: 5px;
}
.nav-row .col-md-2 {
  background-color: #fff;
  border: 1px solid #e0e1db;
  border-right: none;
}
.nav-row .col-md-2:last-child {
  border: 1px solid #e0e1db;
}
.nav-row .col-md-2:first-child {
  border-radius: 5px 0 0 5px;
}
.nav-row .col-md-2:last-child {
  border-radius: 0 5px 5px 0;
}
.nav-row .col-md-2:hover {
  color: #e92d00;
  cursor: pointer;
}
.nav-row .glyphicon {
  padding-top: 15px;
  font-size: 40px;
}

  </style>
   <script src="//ajax.useso.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
</head>
<body>             
<script>
  var script_name = '/cgi-bin/py4h4sher';

  function gohome(){
    window.open( 'http://hitcon.org' );
  }
  function getflag(){
      $.get( script_name , 
              function(data){         
                  $('.out').text('nothing to do :(');
              });
  }
  function getsource(){
      $.post( script_name + '?filename=py4h4sher&mode=download', 
              {'checksum': '%s'},
              function(data){
                  $('.out').text(data);
              });
  }
</script>

<div class="container" style="margin-top:160px;">
    <div class="row nav-row">
      <div class="col-md-3">
      </div>
      <div class="col-md-2" onclick='gohome()'>
        <span class="glyphicon glyphicon-home"></span>
        <p> Go Home </p>
      </div>
      <div class="col-md-2" onclick='getflag()'>
        <span class="glyphicon glyphicon-flag"></span>
        <p> Get Flag </p>
      </div>
      <div class="col-md-2" onclick='getsource()'>
        <span class="glyphicon glyphicon-cloud-download"></span>
        <p> Get Source </p>
      </div>
    </div>

    <div class='row nav-row'>
      <pre class='out' style='padding-top:64px; '>
      </pre>
    </div>
</div>

</body>
</html>
""" % checksum

在源码中还会得到一个checksum:

af247ce6e8c70768eae27ec6feae34f6

分析源码可知，checksum是QUERY_STRING的MD5值，但是用了SECRET。该checksum是通过POST形式提交的，要修改QUERY_STRING并通过checksum的验证，可以利用Length Extension Attack，页面中有现成的工具，我这里使用的是Hash Extender 。

由于mode的值不能是download和eval，这里随意添加：

hash_extender -s af247ce6e8c70768eae27ec6feae34f6 -d filename=py4h4sher\&mode=download -a aaaa --secret-min=160 --secret-max=160 --out-data-format=html

Type: md5
Secret length: 160
New signature: 5ce89b806119dac3f2508022e0b328de
New string: filename%3dpy4h4sher%26mode%3ddownload%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%06%00%00%00%00%00%00aaaa
QUERY_STRING:

filename%3dpy4h4sher%26mode%3ddownload%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%06%00%00%00%00%00%00aaaa
checksum：

5ce89b806119dac3f2508022e0b328de

stage1

搜索m_hash函数，找到Old MySQL Password Hash，继续搜索对此方法的crack，找到MySQL323 Cracker，使用页面中提到的工具mysql323 collider，如下：

mysql323 collider 32.exe -h 4141414141414141 -m 512 -t 10
Initializing...
Took 5.67 sec
3.419 Pp/s [12.8% 4.1% 4.1% 13.0% 12.5% 12.0% 12.4% 12.9% 4.2% 12.2%]
4141414141414141:21704a5b72356c3424605a7c3e7e:!pJ[r5l4$`Z|>~

Crack time: 284.658 seconds
Average speed: 3.426 Pp/s

得到stage1为

!pJ[r5l4$`Z|>~

stage2

搜索pbkdf2，得到PBKDF2，继续搜索找到PBKDF2+HMAC hash collisions explained，页面中有提供计算出的字符串，这里直接使用如下两个：

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavutrypa
d63mH`L=IW3Ucwb.FRec

第一个做为stage2的值，第二个作为User-agent的值。

stage3

对于stage3，直接搜索MD5，得到enigma；

最终POST的数据为：

checksum=d9c85e053a9215db9e03c0bfb1934e1a&stage1=!pJ[r5l4$`Z|>~&stage2=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavutrypa&stage3=e&stage3=n&stage3=n&stage3=i&stage3=n&stage3=gma

将以上内容提交，得到：

Congrat! The flag is HITCON{th1s_1s_bas1c_cha11enge_f0r_p3nt3st3r!}