29c3ctf Web300 Pwsafe Writeup

This is a rather straight-forward web problem with a little cryptography trick and it’s solved under the joint effort of fqj and me. The initial page consists of login form and register form. After registration user can login in to a pastebin like page in which he or she can edit and save text. Those are nearly all the functionalities.

At first we tried sqli on form, but doesn’t work. Further investigation on potential xss also doesn’t work. Then we turned to focus on http headers. It seems there are some patterns in “session” item of cookie. After comparing several accounts’ cookie with different names and from different computers, fqj found the cookie is actually

954a33ddafa959cf59247cd21b4cc163 + md5(username) + md5(ip)

wow, very useful discovery. The “ip” can be forged by X-Forwarded-For header.

Then, how to use this important pattern? Inferred from the statement of this problem, administrator account may be needed. After fuzzing and crawling we found juicy uris, /admin and /server-status. Based on the return of /admin we figure out that the administrator account username is “admin”, and accessing /server-status shows connections to /admin, which contains ip “1.2.3.4″. Why not give it a try?

So construct session cookie with username “admin” and ip “1.2.3.4″, access login page, and key is there :)