3 minuto(s) de lectura

During the holidays, @stackfault (sysop from the BottomlessAbyss BBS) ran a month long CTF with challenges being released every couple of days. Some of challenges were unsolved or partially solved challenges from earlier HackFest editions as well as some new ones. There was also a point depreciation system in place so challenges solved earlier gave more points. This post is a writeup for the Evilconneck challenge by @pathetiq, a quick but fun challenge with websockets and a bit of crypto.

To start with, we have to connect to the BBS and create an account in order to access the challenge description and flag submission panel. We’re given a URL to connect to as well as a bit more information on the other screen.

On the webpage, there’s not much to see: just a couple of images and a few messages about no vulnerabilities present on a static site.

Checking the HTML source code, we can see that there are some comments about debug mode being turned off.

Debug mode enabled

Enabling the “debug mode” is just matter of sending a GET with the debug variable set: http://18.222.220.65/evilconneck/?debug=1

After enabling the debug mode we can see additional javascript being inserted in the page:

The code is supposed to establish a websocket connection but I’m getting a connection error message when looking at my Firefox console:

Doing some debugging, I found that the Origin header isn’t accepted by the server.

GET / HTTP/1.1
Host: 18.222.220.65:64480
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Sec-WebSocket-Version: 13
Origin: http://18.222.220.65
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: 31EYkQq62lBuLoMotKrWZw==
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

HTTP/1.1 403 Forbidden
Date: Tue, 28 Jan 2020 02:25:38 GMT
Server: Python/3.6 websockets/8.1
Content-Length: 84
Content-Type: text/plain
Connection: close

Failed to open a WebSocket connection: invalid Origin header: http://18.222.220.65.

This will probably work by using a hostname intead of the IP address so I added evilconneck to my local hostfile and I was able to successfully connect after using the hostname.

Within Burp I can see my client is sending the uptime string followed by some base64 encoded data.

And the response is always 49170.12 and never changes

Figuring out the HMAC secret key

The first thing I did next was try to figure what that base64 content is all about and it just decodes to meaningless bytes. Interestingly, the length of the output is 32 bytes so this could be a hash of some sort.

I tried changing the uptime message to something else or alter the content of the base64 and I got the following signature failure message everytime: Signature failed! - Expected: 'b64(b85(passwd)),base64(hmac256)'

So it’s probably safe to assume at this point that uptime is the message for which the signature is calculated. Based on the error message, we know that it’s using HMAC with SHA256 for the hash function and that HMAC secret is base85 encoded, then base64 encoded.

To test this theory, I used Python to try to generate the HMAC for the uptime message using a wordlist so I can bruteforce the HMAC secret key. At first, I made the following script but I wasn’t able to find a match with any wordlist I used, such as rockyou.txt:

#!/usr/bin/env python3

import base64
import hashlib, hmac
import progressbar
import sys

c = b"Ji/HQqLPH5KpqzZcYFXRdEHnyn2VI1fqU824IzTzAKs="

progressbar.streams.flush()

with open(sys.argv[1], encoding = "ISO-8859-1") as f:
    passwords = f.read().splitlines()

message = sys.argv[2]

with progressbar.ProgressBar(max_value=len(passwords)) as bar:
    for i, p in enumerate(passwords):        
        secret = base64.b64encode(base64.b85encode(p.strip().encode('utf-8')))
        m = hmac.new(secret, digestmod=hashlib.sha256)
        m.update(message.strip().encode('utf-8'))
        m_b64 = base64.b64encode(m.digest())        
        if c in m_b64:
            print(f"Found password: {p}")
            print(m_b64)
            sys.exit(0)
        bar.update(i)

After double checking my code for a bit, I saw that there’s an option to enable padding before encoding in the b85encode function. This pads the input with null bytes so to make the length a multiple of 4 bytes. After enabling padding I was able to find the HMAC secret.

secret = base64.b64encode(base64.b85encode(p.strip().encode('utf-8'), pad=True))

No need for the full rockyou.txt list afterall, this one is pretty simple: secret

Getting access with websockets

Next, I rewrote my script to send commands through the websocket connection with the proper HMAC appended.

#!/usr/bin/env python3

import asyncio
import base64
import hashlib, hmac
import readline
import sys
import websockets

secret = b'secret'
secret = base64.b64encode(base64.b85encode(secret, pad=True))

async def hello():
    uri = "ws://evilconneck:64480"
    async with websockets.connect(uri, origin='http://evilconneck') as websocket:
        cmd = input('> ')
        m = hmac.new(secret, digestmod=hashlib.sha256)
        m.update(cmd.encode('utf-8'))
        m_b64 = base64.b64encode(m.digest())        
        x = f"{cmd},{m_b64.decode('utf-8')}"
        await websocket.send(x)        
        r = await websocket.recv()
        print(f"{r.decode('utf-8')}")

while True:
    asyncio.get_event_loop().run_until_complete(hello())

Once I found the help command, I was quickly able to get the flag. I just needed to issue hello command as instructed then getflag returned out the flag.