33C3 CTF - pay2win [WEB]

29 Dec 2016 - pimps

Competition: 33C3 CTF
Challenge Name: pay2win
Type: Web
Points: 200 pts
URL: http://78.46.224.78:5000/

The application is basically a system where we can buy 2 files (cheap.txt or flag.txt) inserting a credit card. When we click to buy a item the application generates an encrypted token related to the file we choose and ask us to insert a credit card number to buy the file. Inserting a random credit card number (4111111111111111), the application generates another encrypted token related to the file we just bought and return the content of that file. The buying scheme to cheap.txt file always will work and return the content of the file cheap.txt. The buying attempt to flag.txt always will return a error message.

Using the sequencer on burp suite I generated 100 requests to analyse the token generated by the application. I could observe that only 8 bytes (size of a block) changes and only time by time (behaviour of a timestamp increment based in seconds) as shown below:

5e4ec20070a567e06ce74ade0984b44f 53f13134f3bd2f24 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 53f13134f3bd2f24 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 53f13134f3bd2f24 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 5bc11f2c6a2fea7a 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 5bc11f2c6a2fea7a 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 5bc11f2c6a2fea7a 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 5bc11f2c6a2fea7a 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 5bc11f2c6a2fea7a 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 5bc11f2c6a2fea7a 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 4b192ad6440ee301 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 4b192ad6440ee301 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 4b192ad6440ee301 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 4b192ad6440ee301 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 4b192ad6440ee301 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 4b192ad6440ee301 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 4b192ad6440ee301 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 4b192ad6440ee301 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 35a227008d3f9acb 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 35a227008d3f9acb 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 35a227008d3f9acb 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 35a227008d3f9acb 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 35a227008d3f9acb 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 571b606617b50d55 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 571b606617b50d55 3b5b0554edda4f8828df361f896eb3c3706cda0474915040
5e4ec20070a567e06ce74ade0984b44f 571b606617b50d55 3b5b0554edda4f8828df361f896eb3c3706cda0474915040

Analyzing this generated token I realised that:

It’s probably a 3DES or DES cipher due the size of the blocks (8 bytes)
It’s using ECB mode to encrypt because the end of the cipher text never changes giving the information that each block is encrypted separately.
We can’t perform a ECB suffix decrypt because we can’t control the input that generates this token.

Performing the same analysis on the flag archive we could observe the same behaviour as shown below:

5e4ec20070a567e06ce74ade0984b44f a4af4e92214bae92 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a4af4e92214bae92 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2451bd6a319f6360 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2451bd6a319f6360 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2451bd6a319f6360 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f edf138276267acb3 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f edf138276267acb3 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f edf138276267acb3 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f edf138276267acb3 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f edf138276267acb3 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f edf138276267acb3 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f edf138276267acb3 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f edf138276267acb3 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2ea802d9a4ea1094 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2ea802d9a4ea1094 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2ea802d9a4ea1094 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2ea802d9a4ea1094 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2ea802d9a4ea1094 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2ea802d9a4ea1094 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 2ea802d9a4ea1094 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a858b8f4faf709e2 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a858b8f4faf709e2 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a858b8f4faf709e2 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a858b8f4faf709e2 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a858b8f4faf709e2 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a858b8f4faf709e2 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a858b8f4faf709e2 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f a858b8f4faf709e2 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 3c191f3e5d1a81f5 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 3c191f3e5d1a81f5 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
5e4ec20070a567e06ce74ade0984b44f 3c191f3e5d1a81f5 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f

On the next step I did the same analysis on the successful payment token generated by the application when we buy the cheap.txt file:

5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 8298833179a1e537 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 8298833179a1e537 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 740d31dc94700094 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 740d31dc94700094 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 740d31dc94700094 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 740d31dc94700094 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 740d31dc94700094 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 740d31dc94700094 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 a3a761ff4226fb52 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 a3a761ff4226fb52 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 a3a761ff4226fb52 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 a3a761ff4226fb52 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 a3a761ff4226fb52 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 a3a761ff4226fb52 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 a3a761ff4226fb52 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 8d2d55bd3376a3d0 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 8d2d55bd3376a3d0 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 8d2d55bd3376a3d0 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 8d2d55bd3376a3d0 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 8d2d55bd3376a3d0 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 8d2d55bd3376a3d0 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 07164482f3f2ba77 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 07164482f3f2ba77 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 07164482f3f2ba77 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 07164482f3f2ba77 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 07164482f3f2ba77 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 07164482f3f2ba77 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 07164482f3f2ba77 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 b4682446374c8498 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 b4682446374c8498 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 b4682446374c8498 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 b4682446374c8498 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 b4682446374c8498 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 b4682446374c8498 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 b4682446374c8498 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 840b9cf94accdba8 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 840b9cf94accdba8 28df361f896eb3c3706cda0474915040
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 840b9cf94accdba8 28df361f896eb3c3706cda0474915040

We could observe the same behaviour… only a block changing with the behaviour of a time stamp increment. But we could also observe that the last 2 blocks of those tokens are equals as we can observe:

Token generated to buy the file cheap.txt:

5e4ec20070a567e0 6ce74ade0984b44f 571b606617b50d55 3b5b0554edda4f88 28df361f896eb3c3 706cda0474915040

Token generated after pay the file cheap.txt

5765679f0870f430 9b1a3c83588024d7 c146a4104cf9d2c8 840b9cf94accdba8 28df361f896eb3c3 706cda0474915040

So, assuming that the file name comes just after the time stamp on the token generated to read the files, I assumed that the encrypted file name to cheap.txt is:

28df361f896eb3c3 706cda0474915040

On the token created to buy the cheap.txt file has an block after the time stamp and after that we have 2 blocks of the cheap.txt file name.

Assuming the same logic I extracted the encrypted filename to flag.txt from the token generated to buy the flag as shown bellow:

-- 1st block ---  -- 2nd block ---  --- timestamp --  -- extra block -
5e4ec20070a567e0  6ce74ade0984b44f  3c191f3e5d1a81f5  4f75c9736d3b8e06

------------------- file name --------------------
41e7995bb92506da 1ac7f8da5a628e19 ae39825a916d8a2f

So, the encrypted version of the flag.txt file should be: 41e7995bb92506da 1ac7f8da5a628e19 ae39825a916d8a2f

Using the generated token after the payment process to buy the file cheap.txt, I changed the cheap.txt encrypted filename by the flag.txt encrypted filename as shown bellow:

Before:

5765679f0870f430 9b1a3c83588024d7 c146a4104cf9d2c8 840b9cf94accdba8 28df361f896eb3c3 706cda0474915040

After:

5765679f0870f430 9b1a3c83588024d7 c146a4104cf9d2c8 840b9cf94accdba8 41e7995bb92506da 1ac7f8da5a628e19 ae39825a916d8a2f

Using this token on the application we can read the flag.txt file content:

http://78.46.224.78:5000/payment/callback?data=5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8840b9cf94accdba841e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f

flag: 33C3_3c81d6357a9099a7c091d6c7d71343075e7f8a46d55c593f0ade8f51ac8ae1a8

TheGoonies CTF blog

33C3 CTF - pay2win [WEB]

Related Posts

ångstrom CTF 2021 - Oracle of Blair [crypto] 08 Apr 2021

ångstrom CTF 2021 - substitution [crypto] 07 Apr 2021

ångstrom CTF 2021 - I'm so random [crypto] 07 Apr 2021