Wednesday, August 29, 2012

Stripe CTF Writeup: Challenge 5

This challenge was a cross-site password authenticator that was supposed to allow you to have a localized password server to improve security. If the word "AUTHENTICATED" was returned by the "pingback" URL that you provided to the main page. At this point, since we are trying to authenticate with Level 5 server, we have to bypass firewall nastiness. To bypass this, just upload your magic file to Level 2 and "go a level deeper." Inception
A key that allows this to happen is that the 'params' variable in the Ruby server will populate from a POST or a GET request. This means we can pass parameters in a URL and allows us to do a pingback in a pingback (Inception).
pingback=https://level05-2.stripe-ctf.com/user-ufaqkqwmgp/?pingback=https://level02-4.stripe-ctf.com/user-zcwpskokgw/uploads/win.php&username=bob&password=bob
This takes the contents of the level02 pagre and puts them in the level5 request, authenticating you with the website. Another small thing to bypass was a regular expression which required the exact string to be on a separate line. The exact string also needed to be preceded by a non-word character (I used a dot). My final script that I uploaded was
<?php echo '<pre>.Authenticated.</pre>'; ?>

-- suntzu_II

No comments:

Post a Comment