codezen.fr code hacking, zen coding

2Jul/12Off

NDH2k12 Public Wargame – Personal Blog

Posted by aXs

This is a SPIP site. This version of SPIP stores database dump in /tmp/dump/[site name]_[date].xml

Article 1 gives a huge hint about the correct date: http://54.247.160.116:8003/spip.php?article1

27 February 10:57, by Friendly-Boy - "Hii dude, did u remember to made a backup of ur site for the migration ?"
27 February 10:59, by Admin - "fine, fine and u ? yes ive made the backup yesterday."

http://54.247.160.116:8003/tmp/dump/My_Blog_20120226.xml

 

<spip_articles>
<id_article>2</id_article>
<surtitre></surtitre>
<titre>Secret</titre>
<soustitre></soustitre>
<id_rubrique>1</id_rubrique>
<descriptif></descriptif>
<chapo></chapo>
<texte>4cb7828311a658b2a5c6e11fa4f504d3</texte>

 

The flag is: 2Secret14cb7828311a658b2a5c6e11fa4f504d3

Share
Filed under: CTF Comments Off
2Jul/12Off

NDH2k12 Public Wargame – Break Me Like Your Sister – zomb_crypt

Posted by aXs

$ ls -la
total 64
-rw-r--r-- 1 francois francois 38120 Jun 30 01:29 crypto-1.jpg
-rw-r--r-- 1 francois francois 3226 Jun 13 20:50 zomb_crypt.pyc

$ file *
crypto-1.jpg: JPEG image data, JFIF standard 1.01
zomb_crypt.pyc: python 2.6 byte-compiled

$ python
Python 2.6.6 (r266:84292, Dec 27 2010, 00:02:40)
[GCC 4.4.5] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import zomb_crypt
>>> import dis
>>> dir(zomb_crypt)
['Blowfish', 'PasswordError', '__builtins__', '__doc__', '__file__', '__name__', '__package__', 'decode', 'decrypt', 'encrypt', 'getbf', 'hash', 'sys']
>>> dis.dis(zomb_crypt.decrypt)
52 0 SETUP_EXCEPT 190 (to 193)

53 3 LOAD_GLOBAL 0 (open)
6 LOAD_FAST 0 (filename_in)
9 LOAD_CONST 1 ('rb')
12 CALL_FUNCTION 2
15 LOAD_ATTR 1 (read)
18 CALL_FUNCTION 0
21 STORE_FAST 3 (content)

read file content to content variable

54 24 LOAD_GLOBAL 2 (len)
27 LOAD_FAST 3 (content)
30 CALL_FUNCTION 1
33 LOAD_CONST 2 (16)
36 COMPARE_OP 0 (<) 39 JUMP_IF_FALSE 5 (to 47) 42 POP_TOP goodbye if len(content) < 16 55 43 LOAD_GLOBAL 3 (False) 46 RETURN_VALUE >> 47 POP_TOP

56 48 LOAD_FAST 3 (content)
51 LOAD_CONST 2 (16)
54 SLICE+2
55 STORE_FAST 4 (_hash)

First 16 bytes of file is a hash, store it in _hash

57 58 LOAD_GLOBAL 4 (hash)
61 LOAD_FAST 2 (password)
64 CALL_FUNCTION 1

hash password entered by user on command-line

67 LOAD_FAST 4 (_hash)
70 COMPARE_OP 3 (!=)
73 JUMP_IF_FALSE 13 (to 89)

if hash(user password) != stored _hash, goodbye. And we don't care about the rest of the disassembly because we know w