[NeoQuest2017] 6 planet or "Too much..."

There is an opinion that after a fight with his fists do not wave. But my first ctf NeoQuest2017 showed that paper IB differs from practical hard enough and move the flags to take will not work. Although, as it turned out, I got to the flag in a tight.

/ > So:

"TOO MUCH..."
This planet is reminiscent of the tropics... an Incredible variety of flora and fauna! Our backpacks were filled and all the filled samples, and logs of observations – descriptions, and we've just begun the study of the planet! Looking around, we realized that it is much more efficient to enter all data remotely once in the side the magazine. Here, only data transfer is very slow, so you need to correctly set priorities.

We try to go to view the log on link and get:

the 
This page is under construction

Again reread the text of the task and notice the hint:
the only data transfer is very slow, so you need to correctly set priorities.

The day I killed, thinking that we are talking about the fields of the HTTP request: Accept-Charset, Accept-Encoding, Accept-Language, Accept, etc.

Further search showed that the server supports HTTP/2. Touted as one of his innovations is the prioritization of the queries.

Looking for something with which you can change the priority and find nghttp.

Try
root@kali:~# nghttp -p 3 -v 213.170.100.212
[ 0.055] Connected
The negotiated protocol: h2
[ 0.166] send SETTINGS frame < length=12, flags=0x00, if=0>
(niv=2)
[SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
[SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]
[ 0.167] send the PRIORITY frame <length=5, flags=0x00, if=3>
(dep_stream_id=0, weight=201, exclusive=0)
[ 0.167] send the PRIORITY frame <length=5, flags=0x00, if=5>
(dep_stream_id=0, weight=101, exclusive=0)
[ 0.168] send the PRIORITY frame <length=5, flags=0x00, if=7>
(dep_stream_id=0, weight=1, exclusive=0)
[ 0.168] send the PRIORITY frame <length=5, flags=0x00, if=9>
(dep_stream_id=7, weight=1, exclusive=0)
[ 0.169] send the PRIORITY frame <length=5, flags=0x00, if=11>
(dep_stream_id=3, weight=1, exclusive=0)
[ 0.169] send HEADERS frame < length=38, flags=0x25, if=13>
; END_STREAM | END_HEADERS | PRIORITY
(padlen=0, dep_stream_id=11, weight=3, exclusive=0)
; Open new stream
:method: GET
:path: /
:scheme: https,
:authority: 213.170.100.212
accept: */*
accept-encoding: gzip, deflate
user-agent: nghttp2/1.18.1
[ 0.232] recv SETTINGS frame < length=18, flags=0x00, if=0>
(niv=3)
[SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
[SETTINGS_INITIAL_WINDOW_SIZE(0x04):65536]
[SETTINGS_MAX_FRAME_SIZE(0x05):16384]
[ 0.233] recv WINDOW_UPDATE frame < length=4, flags=0x00, if=0>
(window_size_increment=196605)
[ 0.233] recv SETTINGS frame < length=0, flags=0x01, if=0>
; ACK
(niv=0)
[ 0.233] recv (if=13) :status: 200
[ 0.234] recv (if=13) etag: "21-58a4a130-a2bf2"
[ 0.234] recv (if=13) last-modified: Wed, 15 Feb 2017 18:42:56 GMT
[ 0.234] recv (if=13) content-type: text/html
[ 0.234] recv (if=13) content-length: 33
[ 0.234] recv (if=13) accept-ranges: bytes
[ 0.235] recv (if=13) date: Mon, 20 Mar 2017 12:01:24 GMT
[ 0.235] recv (if=13) server: NQ-webserver
[ 0.235] recv HEADERS frame < length=96, flags=0x04, if=13>
; END_HEADERS
(padlen=0)
; First response header
This page is under construction
[ 0.236] recv DATA frame < length=33, flags=0x00, if=13>
[ 0.236] recv DATA frame < length=0, flags=0x01, if=13>
; END_STREAM
[ 0.236] send GOAWAY frame < length=8, flags=0x00, if=0>
(last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[])


And that my enthusiasm waned. At that time, the flag that no one take couldn't. Poked at random a few different priority values, and not once in need, I decided I chose the wrong path and moved on to the next task.

As it turned out all I had to do a brute force for all possible values:

the 
!/bin/bash
until [$i -eq 256]
do
let "i=i+1"
nghttp -p $i https://213.170.100.212/
done 
exit 0

Received:
root@kali:~# ./123
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
BB
14
7E
F9
2D
66
4D
52
18
14
0A
16
AD
3F
C5
03
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction
This page is under construction

Enter the flag on the website and see:
the Key is accepted (the quest time expired)

Well, perseverance in this time I obviously did not have. But the spirit of the ctf captured me. Thanks to the organizers for a great quest. Really looking forward to continuing, and hope that it will turn out to be more effective.
Article based on information from habrahabr.ru

Популярные сообщения из этого блога

Approval of WSUS updates: import, export, copy

Изображение
the Backstory Until recently, I worked as edikasyon a major Russian company that has many offices throughout the country. In my jurisdiction there were eleven sites, located in different cities of the Far East (this is important). In each of these offices had its own, not connected with other network infrastructure — your domain AD own subnet, etc. Once the leadership gave me the task to organize the automatic updating of the OS and programs from MS and allowed to expand on accountable sites WSUS . Problem After WSUS was deployed, binding policy, computers to WSUS groups are configured, the directory synchronization content server MS held, etc., the question arose: who and how will approve the update? Imagine 11 cities that are so "fast" and "stable", that rare moment when latency of ICMP replies are only 800 MS, are perceived as unheard of luck. And in each you test all updates before deploying. The access to the servers at the sites was only v...
Далее...

Kaspersky Security Center — the fight for automation

oddly enough, I found habré only one article on the subject — the sandbox much unfinished actually contains a piece of the slightly redesigned the product help. Yes, and Google query klakaut silent. I'm not going to tell you how to administer the hierarchy of Kaspersky Security Center (hereinafter KSC) from the command line — I do not yet need never. Just want to share some thoughts about automation tools to those who need it and disassemble one case with which I had to face. If you, %habrauser%, this topic will be interesting — welcome under kat. Historically, the anti-virus protection on the job, I prefer products of Kaspersky Lab (hereafter LK). Causes and other Holy war of personal opinions, I'll leave behind the scenes. Naturally, I would like to centrally deploy, protect, to protect and to enforce the law to draw beautiful graphics to integrate into existing monitoring systems and to do other work shifting the blame to a healthy server. And if you deplo...
Далее...

The Hilbert curve vs. Z-order

Изображение
Repeatedly heard the opinion that of all swept curves . it the Hilbert curve the most promising for spatial indexing. The explanation given is that it does not contain discontinuities and therefore in some sense “well-arranged”. Whether so it actually and what is the spatial indexing, we will understand under the cut. The concluding article of the series: the the Why doesn't the straightforward approach to spatial indexing swept curves the Presentation the 3D and obvious optimization the 8D and perspectives OLAP the 3D field as it looks the 3D field benchmarks the How about indexing non-point objects? The Hilbert curve has the remarkable property — the distance between two successive points is always equal to one (step current of detail, to be precise). Therefore, data is not much different Hilbert curve values are close to each other (the inverse, incidentally, is wrong — adjacent points may be very different in meaning). For this property it is us...
Далее...