This challenge was solved by and the write up was written by two of my teammates, vasporig and aljasPOD.
If we send in a document, the macro inside it gets executed.
Our way of coummunicating with the outside world was to execute a ping to a subdomain of ours: .dns.aljaspod.com, for which we've captured all the requests with wireshark.
Most time was spent by locating the file containing the flag (C:\secret.txt), after looking for any file containing ““flag”” I’ve tried listing the root of C:.
Since the file could contain characters not allowed by the dns, and could be of any length, (after some tries) I’ve converted the flag into hex, and cut it into 16 character parts, sending the following “request” (ping) sequence:
This challenge was solved by and the write up was written by one of my teammates, vek.
First, we got the correct password by changing the GOT of strlen into puts using a format string vuln, so that puts(password) got called. We did that with the following input:
With the password (“hitconctf2015givemeshell”), we could trigger a function whose first parameter we controlled ( do_job(username) ), so all we had to do was to change do_job’s address to system and username to the desired command, e.g
SQL injection is a red herring as every input is escaped properly.
So it should be a mt_rand “vulnerability”.
If we register a new account and call multiple reset calls with our new user then we get a lot of tokens. These tokens should be “unxored” with our IPv4 address, so we can the clean mt_rand() results.
Then if we can predict the new mt_rand() result and send in to verify as admin then we will get the admin password.
The only problem is that there were a lot of players and had to get consecutive mt_rand values. So we used Keep-Alive which solved this problem (we used the same thread, so the internal state of Mersenne Twister is not changes).
Mersenne Twister usually can be calculated backwards, but the problem is PHP throws out the LSB bit, so this won’t work.
On the other hand bruteforcing the seed is difficult as the we dont have the first outputs of the MT generator.