codezen.fr code hacking, zen coding

25Nov/12Off

RuCTFE 2012 CTF – LuST Service Writeup

Posted by aXs

RuCTFE is "classic" (these days it's more like "old-skool") Attack/Defense security game where multiple teams (150) compete to hack each other vulnerable services hosted in a VirtualBox machine provided by the CTF organizers at the beginning of the contest. Read more here about this great CTF and the network setup: http://ructf.org/e/2012/

One of these vulnerable service was LuSt, a .NET executable running under Mono on the virtual machine:

root@vulnbox:/home/lust# file LuSt.exe
LuSt.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

LuST is a luggage manager for a mexican (?) airline company. You can deposit your luggage, browse your list of luggage and get the description of a specific luggage.

When you put your first luggage, this will create a cookie in your browser so you can authenticate again later and browse your list of luggage.

Using .NET Reflector we can analyze, disassemble and patch this binary.

Building on System.net.HttpListener, we have 4 listeners: (comments are my own)

public void Start()
{
    this.putListener.Start();   // Deposit your luggage
    this.listListener.Start();  // Browse your luggages
    this.getListener.Start();   // See description of one luggage
    this.indexListener.Start(); // static files (html and assets)
}

Let see what happend when you deposit your first luggage:

string signature = Convert.ToBase64String(this.Sign(name)); // computer secure cookie signature
if (this.db.IsKnownName(name) && !this.IsValidAuth(context, name, signature)) // compare signature cookie to computed signature
{
  AsyncListener.ShowCustomStatus(context.Response, HttpStatusCode.