Friday, October 26, 2012

[CTF] Hacklu'12: 20 - nerd safe house

By sending a simple request (using ncat / intercepting proxy):
GET / HTTP/1.0

we get the following response:
HTTP/1.1 302 Found
Date: Tue, 23 Oct 2012 16:48:43 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Location: ?cid=vp3ElnOGh7iwP
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
Connection: close


In other terms, a redirection to ?cid=vp3ElnOGh7iwP

The following request:
GET /?cid=vp3ElnOGh7iwP HTTP/1.0

will have this response in return:
HTTP/1.1 403 Forbidden
Date: Tue, 23 Oct 2012 16:50:08 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.4
X-Hint: Wrong Browser
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
Connection: close


When using a normal web browser, we see:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script>
history.replaceState(0,0,'?cid=vp3E1nOGh7jwP');</script>
</head>
<body>Nothing to see here.</body>
</html>

In essence, the javascript code (highlighted in red) will change the location from ?cid=vp3ElnOGh7iwP to ?cid=vp3E1nOGh7jwP without leaving a trace in the history. If we first, navigated with a web browser, we would have missed this (unless you have a sharp eye ;))
Playing around with the modified values. This following request:
GET /?cid=vp3ElnOGh7jwP HTTP/1.0

will result in:
HTTP/1.1 200 OK
Date: Tue, 23 Oct 2012 16:52:52 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Vary: Accept-Encoding
Content-Length: 230
Content-Type: text/html
Connection: close

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script>
history.replaceState(0,0,'?cid=vp3E1nOGh7jwP');</script>
<!-- The secret is 14574e443ef2331439d25dc9da3b617e :D -->
</head>
<body>Nothing to see here.</body>
</html>


And that is our flag.

No comments:

Post a Comment