CODGATE 2015 CTF quals – Owltube Writeup (Web 400)

Another web challenge from Codegate quals .. always about Owls
for this challenge we were given a youtube video player website also it’s source code

owltube preview
owltube preview

the website offer some fonctionnalities like registration and login

def register():
    u = {}
    u["u"] = request.form.get("user")
    u["pw"] = request.form.get("pw")
    u["email"] = request.form.get("email")
 
    if g.db.users.find_one({"u":u["u"]}):
        flash("Username taken")
    else:
        g.db.users.insert(u)
 
        for vid in defaultvids:
            vid["user"] = u["u"]
            g.db.videos.insert(vid)
 
        flash("Registered")
 
    return make_response(redirect(url_for('index')))
def login():
    u = {}
    u["u"] = request.form.get("user")
    u["pw"] = request.form.get("pw")
 
    user = g.db.users.find_one(u)
 
    resp = make_response(redirect(url_for('index')))
 
    if user:
        set_cookie(resp, u)
    else:
        flash("Login failed")
 
     
    return resp

we can see that the authentication mechanism is cookie based

def get_cookie():
    cookie = request.cookies.get("auth")
    if not cookie: return None
 
    cookie = cookie.decode("base64")
 
    iv = cookie[:BS]
    cookie = cookie[BS:]
    aes = AES.new(SECRET_KEY, AES.MODE_CBC, iv)
    cookie = aes.decrypt(cookie)
    cookie = unpad(cookie)
 
    cookie = json.loads(cookie)
 
    return cookie
 
def set_cookie(resp, cookie):
    cookie = json.dumps(cookie)
 
    iv = Random.new().read(BS)
    aes = AES.new(SECRET_KEY, AES.MODE_CBC, iv)
    cookie = pad(cookie)
    cookie = iv + aes.encrypt(cookie)
    cookie = cookie.encode("base64")
    cookie = cookie.replace("\n", "")
 
    resp.set_cookie("auth", cookie)
 
def is_logged_in():
    cookie = get_cookie()
 
    if not cookie: return False
 
    user = g.db.users.find_one(get_cookie())
 
    if not user: return False
    g.user = cookie
 
    return True

AES with Cipher Block Chaining (CBC) is being used here and both encryption and decryption operations are done using a secret key wich we don’t have .. but unlike the previous challenge this one was straight forward , as we immediately knew what we wanna do .. and what we wanna do is Byte flipping Attack

in brief Byte flipping attack is the process of changing some bytes in the plain text by altering some bytes in the ciphertext , i won’t be diving into details but for more informations you can visit this link (excellent explanation btw)

Now all we have to do is to forge a cookie wich when decrypted the corresponding username will be admin this one worked for me for example

auth:dwc0RAPIv1KgpseYvk9u/p4wtI2RtOe6n22IcoEuoGdZ2b3n+0CUDoNgWF0OUqFP
logged as admin
logged as admin

Once you login as admin you’ll find The flag in the source code

Flag
Flag

Flag : the_owls_are_watching_again 😀

Advertisements

3 thoughts on “CODGATE 2015 CTF quals – Owltube Writeup (Web 400)

  1. “Now all we have to do is to forge a cookie wich when decrypted the corresponding username will be admin this one worked for me for example”.

    Could you tell me what is your expected plaintext? I don’t think that byte-flipping is easy to implement in this challenge, because the output will contain some garbage bytes and in most of cases it could not be decoded properly as a json string.

    • that’s a good question
      in order to avoid corrupting the json data , we were only allowed to change the iv
      for this example i tried to register a username zz with password admin so the data to encrypt is {“u”: “zz”, “pw”: “admin”} the goal of the attack was to change that pw to u so the new plaintext would match {“u”: “zz”, “u”: “admin”}
      hence we login as admin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s