Capture the Flag events are a great way to get your feet wet learning new techniques and skills related to cybersecurity, as well as flexing your problem solving skills. I recently participated in the MetaCTF CyberGames 2021 and wanted to share some thoughts and walkthroughs for some of the challenges I solved.
According to their site, MetaCTF looks to challenge participants with problems such as web exploitation, cryptography, binary exploitation, reverse engineering, forensics, and reconnaissance–so let’s take a closer look at these challenges with that in mind.
1.) Leaky Logs
Business, INC, the world’s premier widget manufacturer, just released their fancy new dashboard, using all the hottest new web technologies from 2010.
This account doesn’t seem to have a ton of access. Sucks.
Can you access the flag at /flag.txt?
We begin by investigating the site with a tool like Burp Suite, OWASP ZAP, or even from the developer tools in your favorite browser. After spending some time looking around the site, you will likely end up on the Event Logs page.
If you’re using a tool like Burp or ZAP, you can intercept a search query from this page to see that search requests are being sent to /api/event_log with an XML request that looks like
<params><query>search terms</query></params>. If you’re using the developer tools, you can use the network tab to discover the same information.
About XML and XXE
XML vulnerabilities are an OWASP Top 10 web application vulnerability and land at number 5 on their list under the category of Security Misconfiguration. They are mapped on the MITRE Common Weakness Enumeration list as CWE-611: Improper Restriction of XML External Entity Reference and are more commonly known as XXE (XML eXternal Entity).
XXE is an attack against a web application that does not parse XML correctly, and can allow us to reference an external entity (such as another file on the server), which can then be called and inserted into the XML output elsewhere.
External Entities are defined in the Document Type Definition, which defines the structure, elements and attributes of an XML document. They are defined inside a <!DOCTYPE> tag, inside of which elements are defined using <!ENTITY> tags. We use SYSTEM to point our entity to another file on the system using a file:// structure.
In this instance, we will name our entity xxe, and we reference it in our request by using &xxe;. Our crafted payload for the /flag.txt file ends up looking like this:
If you are using a tool like Burp Suite or OWASP ZAP, you can simply use the intercepted search query to send your modified XXE query. If you are using developer tools, you can use a site like https://reqbin.com/post-online to send post requests from your browser.
Regardless of which method you choose, after sending your payload to the API, you should receive the flag in return.
To learn more about XXE vulnerabilities and see other example payloads and attack vectors, visit https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing.
2. Unbreakable Encryption
There is a form of truly unbreakable encryption: the one time pad. Nobody, not Russia, not China, and not even Steve, who lives in his mom’s basement and hacks governments for fun, can decrypt anything using this cipher… as long as it’s used correctly.
In this scheme, a truly random string as long as the plaintext is chosen, and the ciphertext is computed as the bitwise XOR of the plaintext and the key. However, if the key is reused even once, it can be cracked.
We’ve intercepted some messages between some criminals, and we’re hoping you could crack the one-time pad they used. We’re pretty sure they reused it, so you should be able to crack it…
Ciphertext 1: 4fd098298db95b7f1bc205b0a6d8ac15f1f821d72fbfa979d1c2148a24feaafdee8d3108e8ce29c3ce1291
Plaintext 1: hey let’s rob the bank at midnight tonight!
Ciphertext 2: 41d9806ec1b55c78258703be87ac9e06edb7369133b1d67ac0960d8632cfb7f2e7974e0ff3c536c1871b
About One Time Pad Encryption
According to HYPR, a one-time pad encryption system is “unbreakable providing certain conditions are met. The conditions that make a one-time pad impossible to crack are also ones that make the technique impractical for many modern applications.” You can learn more at HYPR’s Security Encyclopedia.
OTP Encryption Vulnerabilities
By knowing an encrypted string and matching unencrypted string, we are able to XOR them back against each other to retrieve the original key. We can then use that key against another encrypted string. If the key has been reused, we will be able to obtain the plain text message.
I wrote the following code in Go to retrieve the key used in the challenge and then decrypt the second string to retrieve the flag.
You can copy and paste this code in the Go Playground and run it for yourself to retrieve the flag.
To Wrap It All Up
CTFs offer a way for newcomers to cybersecurity as well as veterans of the industry to learn new skills and hone existing ones. I hope you learned something from going over these challenges and will give a CTF a try sometime if you haven’t already. For more information on CTFs and upcoming events, visit CTF Time.