The weekend of 02-03 july 2016\u00a0is the WARGAME of the\u00a0Nuit du Hack 2016<\/a><\/strong>\u00a0as a Jeopardy CTF<\/strong>. Having had the opportunity and the time to participate with some colleagues and friends, here\u2019s a write-up resolution of the challenges which we could participate.<\/p>\n Given the name of the challenge, “sticky”, we doubt that a notion of cookie and “persistence” will come into play …<\/p>\n By going to the URL of the challenge, we were invited to enter a user name:<\/p>\n Sticky-Sticky login page<\/p><\/div>\n Once a login was entered\u00a0a simple page “Welcome back” was displayed with the login reflected:<\/p>\n Sticky-Sticky connected<\/p><\/div>\n By observing in more detail requests, we have a cookie set:<\/p>\n By testing various encoding \/ decoding base64 value for “resolution”, no relevant information is disclosed, but\u00a0interesting errors (also visible after multiple query execution):<\/p>\n DNS resolution error<\/p><\/div>\n In case you change the value of the cookie “validator”, we get an error attempting to hijack:<\/p>\n Hijack validator<\/p><\/div>\n Testing was continued by trying to inject a payload through the login. A small persistent XSS is here, but nothing exploitable:<\/p>\n XSS in Sticky! Sticky!<\/p><\/div>\n The presence of this XSS, stored server side (although responses appeared behind a load balancer), allowed a malicious troll to inject a false-flag that has baffled more than one ^^! Good game \ud83d\ude09 !<\/p>\n Based on previous errors and hints, we deduce several things:<\/p>\n Trying to query the server “sticky.wargame.ndh” on port 8888 itself:<\/p>\n Response:<\/p>\n Solving the challenge requires definitely close this answer with an “admin: 1”!<\/strong><\/p>\n We focus more on the value of the cookie “resolution”, which, following the issuance of the second “hint”, is in\u00a0Base32:<\/p>\n It is an IP that is encoded in the “resolution” cookie!<\/p>\n A request sent to the application with the cookie generates the following:<\/p>\n Sticky! Stycky normal behavior<\/p><\/div>\n On the client side, we have to take the role of the\u00a0name server (NS), the validation server and force a JSON response\u00a0with:<\/p>\n My computer, connected to the Wargame network of the NDH, has the\u00a0IP: 172.16.16.250<\/strong>, or in hexadecimal: AC1010FA<\/strong> and therefore Base32: VQIBB6Q=<\/strong> (converter available here<\/a>).<\/p>\n The new value of the cookie “resolution” will be VQIBB6Q=<\/strong>. The web server will seek to resolve the host name in “validator” of the NS that will ultimately my machine : 172.16.16.250.<\/p>\n I must therefore turn my post as a DNS server :<\/p>\n Done !<\/p>\n Now the DNS resolution of the host “validator.wargame.ndh” is made by my computer, and point to my computer itself. It only remains to deploy\u00a0a small web server on port 8888 that will return the JSON “admin:1”:<\/p>\n Our web server is running on port 8888, and a “1” file delivers the appropriate JSON to become admin.<\/p>\n It only remains to realize the last request to “sticky.wargame.ndh”, with the cookie:<\/p>\n Stikcy flag<\/p><\/div>\n Bingo ! Flag :\u00a0ndh2k16_e5f3eb90c4438c1a062125e3f74c2b41<\/strong><\/p>\n Sticky! Sticky! PWN !<\/p><\/div>\n Thank you to all the team of the NDH2K16 for this event and for the whole organization!<\/p>\n Greeting to\u00a0nj8<\/a>, St0rn<\/a>, Emiya<\/a>, Mido, downgrade,\u00a0Ryuk@n and\u00a0rikelm, ?\u00a0\/\/ Gr3etZ<\/p>\n Sources & resources :<\/strong><\/p>\n <\/p>","protected":false},"excerpt":{"rendered":" Write-up of the challenge “Web – Sticky! Sticky! ” of Nuit du\u00a0Hack 2016\u00a0Wargame The weekend of 02-03 july 2016\u00a0is the […]<\/p>\n","protected":false},"author":1337,"featured_media":2112,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[524,523,526,527,165,14,525],"tags":[418,469,493,495,494],"class_list":["post-2111","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-events","category-ndh","category-ndh2k16","category-os","category-vuln-exploit-poc","category-wargame","tag-cookie","tag-jeopardy","tag-sticky","tag-validator","tag-web"],"_links":{"self":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/users\/1337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/comments?post=2111"}],"version-history":[{"count":15,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2111\/revisions"}],"predecessor-version":[{"id":2135,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2111\/revisions\/2135"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media\/2112"}],"wp:attachment":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media?parent=2111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/categories?post=2111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/tags?post=2111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
![\"Sticky-Sticky](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/screen02-300x60.png\")
<\/a>![\"Sticky-Sticky](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/screen01-300x44.png\")
<\/a>GET \/index.php HTTP\/1.1\r\nHost: sticky.wargame.ndh\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nCookie: user_id=553241; validator=validator.wargame.ndh; resolution=\"YCUAACI=\"\r\nConnection: close<\/pre>\n
\n
![\"DNS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/screen04-300x164.png\")
<\/a>![\"Hijack](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/screen03-300x164.png\")
<\/a>![\"XSS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/stcky005-300x208.png\")
<\/a>\n
GET \/ HTTP\/1.1\r\nHost: sticky.wargame.ndh:8888\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nCookie: user_id=553241; validator=validator.wargame.ndh; resolution=\"YCUAACI=\"\r\nConnection: close<\/pre>\n
HTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Sun, 03 Jul 2016 01:32:06 GMT\r\nContent-Type: text\/plain; charset=utf-8\r\nConnection: close\r\nContent-Length: 25\r\n\r\n{\"admin\": 0, \"name\": \"0\"}<\/pre>\n\n
\n
{\"admin\": 0, \"name\": \"admin\"}<\/pre>\n![\"Sticky!](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/archi01-300x179.png\")
<\/a>{\"admin\": 1, \"name\": \"admin\"}<\/pre>\napt-get install dnsmasq\r\necho validator.wargame.ndh 172.16.16.250 >> \/etc\/hosts\r\n\/etc\/init.d\/dnsmasq start<\/pre>\n
mkdir sticky\r\ncd sticky\r\nvi 1 # {\"admin\":1,\"name\":\"admin\"}\r\npython -m SimpleHTTPServer 8888<\/pre>\n\n
![\"Stikcy](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/stcky006-300x164.png\")
<\/a>![\"Sticky!](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/archi02-300x130.png\")
<\/a>\n