March 20, 2017 at 12:42[NeoQuest2017] 6 planet or "Too many things ..."
There is an opinion that after a fight they don’t wave their fists. But the first in my life ctf NeoQuest2017 showed that paper information security differs from the practical one quite strongly and you won’t be able to take flags on the fly. Although, as it turned out, I crept up to the flag in tight.
So:
We try to go in to see the magazine at the link and get:
We re-read the text of the assignment and notice a hint:
I killed the first half of the day, thinking that the conversation was about the HTTP request fields: Accept-Charset, Accept-Encoding, Accept-Language, Accept, etc. It turned out no.
Further searches revealed that the server supports HTTP / 2. And one of his highly publicized innovations is precisely the prioritization of requests.
We are looking for something with which to change the priority and find nghttp.
And on this my enthusiasm ran out. At that time, no one could take this flag yet. Having stumbled at random a couple of different priority values, and not getting into the right one, I decided that again I had chosen the wrong path and moved on to the next task.
As it turned out all that it was necessary to do an exhaustive search for all possible values:
We enter the received flag on the site and see:
Well, persistence this time was clearly not enough for me. But the spirit of ctf captured me. Thanks a lot to the organizers for the great quest. I really look forward to continuing, and I hope that it will turn out to be more productive.
So:
"TOO MUCH ALL ..."
This planet resembles the tropics ... An incredible amount of diverse flora and fauna! Our backpacks were all filled and filled with samples, and observation logs with descriptions, and after all, we just started exploring the planet! Looking around, we realized that it would be much more efficient to enter all the information remotely immediately into the logbook . That's just the data transfer is very slow, so you need to correctly prioritize.
We try to go in to see the magazine at the link and get:
This page is under constructionWe re-read the text of the assignment and notice a hint:
That's just the data transfer is very slow, so you need to correctly prioritize .
I killed the first half of the day, thinking that the conversation was about the HTTP request fields: Accept-Charset, Accept-Encoding, Accept-Language, Accept, etc. It turned out no.
Further searches revealed that the server supports HTTP / 2. And one of his highly publicized innovations is precisely the prioritization of requests.
We are looking for something with which to change the priority and find nghttp.
Try
root @ kali: ~ # nghttp -p 3 -v 213.170.100.212
[0.055] Connected
The negotiated protocol: h2
[0.166] send SETTINGS frame
(niv = 2)
[SETTINGS_MAX_CONCURRENT_STREAMS (0x03): 100]
[SETTINGS_INITIAL_WINDOW_SIZE (0x04): 65535]
[0.167] send PRIORITY frame
(dep_stream_id = 0, weight = 201 , exclusive = 0)
[0.167] send PRIORITY frame
(dep_stream_id = 0, weight = 101 , exclusive = 0)
[0.168] send PRIORITY frame
(dep_stream_id = 0, weight = 1 , exclusive = 0)
[0.168] send PRIORITY frame
(dep_stream_id = 7, weight = 1 , exclusive = 0)
[0.169] send PRIORITY frame
(dep_stream_id = 3, weight = 1 , exclusive = 0)
[0.169] send HEADERS frame
; END_STREAM | END_HEADERS | PRIORITY
(padlen = 0, dep_stream_id = 11, weight = 3 , exclusive = 0)
; Open new stream
: method: GET
: path: /
: scheme: https
: authority: 213.170.100.212
accept: * / *
accept-encoding: gzip, deflate
user-agent: nghttp2 / 1.18.1
[0.232] recv SETTINGS frame
(niv = 3)
[SETTINGS_MAX_CONCURRENT_STREAMS (0x03): 100]
[SETTINGS_INITIAL_WINDOW_SIZE (0x04): 65536]
[SETTINGS_MAX_FRAME_SIZE (0x05): 16384]
[0.233] recv WINDOW_UPDATE
(window_size_increment = 196605)
[0.233] recv SETTINGS frame
; ACK
(niv = 0)
[0.233] recv (stream_id = 13): status: 200
[0.234] recv (stream_id = 13) etag: "21-58a4a130-a2bf2"
[0.234] recv (stream_id = 13) last-modified: Wed, 15 Feb 2017 18:42:56 GMT
[0.234] recv (stream_id = 13) content-type: text / html
[0.234] recv (stream_id = 13) content-length: 33
[0.234] recv (stream_id = 13) accept-ranges: bytes
[0.235] recv (stream_id = 13) date: Mon, 20 Mar 2017 12:01:24 GMT
[0.235] recv (stream_id = 13) server: NQ-webserver
[0.235] recv HEADERS frame
; END_HEADERS
(padlen = 0)
; First response header
This page is under construction
[0.236] recv DATA frame
[0.236] recv DATA frame
; END_STREAM
[0.236] send GOAWAY frame
(last_stream_id = 0, error_code = NO_ERROR (0x00), opaque_data (0) = [])
[0.055] Connected
The negotiated protocol: h2
[0.166] send SETTINGS frame
(niv = 2)
[SETTINGS_MAX_CONCURRENT_STREAMS (0x03): 100]
[SETTINGS_INITIAL_WINDOW_SIZE (0x04): 65535]
[0.167] send PRIORITY frame
(dep_stream_id = 0, weight = 201 , exclusive = 0)
[0.167] send PRIORITY frame
(dep_stream_id = 0, weight = 101 , exclusive = 0)
[0.168] send PRIORITY frame
(dep_stream_id = 0, weight = 1 , exclusive = 0)
[0.168] send PRIORITY frame
(dep_stream_id = 7, weight = 1 , exclusive = 0)
[0.169] send PRIORITY frame
(dep_stream_id = 3, weight = 1 , exclusive = 0)
[0.169] send HEADERS frame
; END_STREAM | END_HEADERS | PRIORITY
(padlen = 0, dep_stream_id = 11, weight = 3 , exclusive = 0)
; Open new stream
: method: GET
: path: /
: scheme: https
: authority: 213.170.100.212
accept: * / *
accept-encoding: gzip, deflate
user-agent: nghttp2 / 1.18.1
[0.232] recv SETTINGS frame
(niv = 3)
[SETTINGS_MAX_CONCURRENT_STREAMS (0x03): 100]
[SETTINGS_INITIAL_WINDOW_SIZE (0x04): 65536]
[SETTINGS_MAX_FRAME_SIZE (0x05): 16384]
[0.233] recv WINDOW_UPDATE
(window_size_increment = 196605)
[0.233] recv SETTINGS frame
; ACK
(niv = 0)
[0.233] recv (stream_id = 13): status: 200
[0.234] recv (stream_id = 13) etag: "21-58a4a130-a2bf2"
[0.234] recv (stream_id = 13) last-modified: Wed, 15 Feb 2017 18:42:56 GMT
[0.234] recv (stream_id = 13) content-type: text / html
[0.234] recv (stream_id = 13) content-length: 33
[0.234] recv (stream_id = 13) accept-ranges: bytes
[0.235] recv (stream_id = 13) date: Mon, 20 Mar 2017 12:01:24 GMT
[0.235] recv (stream_id = 13) server: NQ-webserver
[0.235] recv HEADERS frame
; END_HEADERS
(padlen = 0)
; First response header
This page is under construction
[0.236] recv DATA frame
[0.236] recv DATA frame
; END_STREAM
[0.236] send GOAWAY frame
(last_stream_id = 0, error_code = NO_ERROR (0x00), opaque_data (0) = [])
And on this my enthusiasm ran out. At that time, no one could take this flag yet. Having stumbled at random a couple of different priority values, and not getting into the right one, I decided that again I had chosen the wrong path and moved on to the next task.
As it turned out all that it was necessary to do an exhaustive search for all possible values:
!/bin/bash
until [$i -eq 256]
do
let "i=i+1"
nghttp -p $i https://213.170.100.212/
done
exit 0
We get:
root @ kali: ~ # ./123
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
BB
14
7E
F9
2D
66
4D
52
18
14
0A
16
AD
3F
C5
03
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
BB
14
7E
F9
2D
66
4D
52
18
14
0A
16
AD
3F
C5
03
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
We enter the received flag on the site and see:
Key accepted (quest timed out)
Well, persistence this time was clearly not enough for me. But the spirit of ctf captured me. Thanks a lot to the organizers for the great quest. I really look forward to continuing, and I hope that it will turn out to be more productive.