CSAW Quals 2018
So after a break from last year on writing blogs, I thought of writing blog for this particular challenge for the reason that the time it took to get solved and also the method involved to solve this particular challenge.
The challenge description was
Not My Cup of Coffee, I heard you liked food based problems, so here's a liquid one.
Clicking on the link directs us to home where they have some beans already present in a table in which scrolling down shows
Flag which we are interested in.
Below that there was a link to the
admin panel which led to a password protected page. When I tried entering random values, it showed incorrect. For a moment, I thought it would be injection but did not seem to work out.
Later, going back to the main page had an option of
Start breeding wherein there is a coloumn where there were two fields to enter our input and another two boxes containing parent1 and parent2. Randomly tried giving in some input and gave the default parent which was
Covfefe with the name as
Redirecting to the home page and scrolling down showed us that our value got input with a description as well of
Covfefe. Since there was
Flag below that, my essential aim was to see which parent’s description was inherited and bingo, it was parent1. Also we were able to see that the parent list in the
Start Breeding page had new options being added with the Name that we gave before.
Later on going through the source code revealed that there was something next to the option, which was more of like a alphanumeric string seperated by a hash. Was able to get that the first was a base64 string and the second, some hex string. Decoding the base64 string of one of the options, here I took
Covfefe, revealed a string.
So after a bit of traversal through the web site, there was a request to
admin.jsp and going to that (http://web.chal.csaw.io:8616/admin.jsp) dumped the password with a
$ sign in between.
but since JavaCodes are deterministic, we can create one that matches this and that was
Logging in to the admin page with this string
gave me a key which was
c@ram31m4cchi@o. Also, we had a hash appended towards the end of the serialized beans. After a bit of digging, I found that the hash appended was just a salt and not anything else. Now basically I had to craft a payload which contains the keyword
Flag in it, appended with the salt.
The next thing was crafting the
payload + "-" + sha256sumhex(payload + salt) where
c@ram31m4cchi@o. Essentially, crafting the payload was a bit task so in the beginning, my team-mate Heeraj and I had thought of replacing
Flag and had sent request by modifying
parent1 but yielded no result. Then what we had thought was the string length of
Flag with that of
Covfefe. Yes, it is different and hence would alter the structure. So the very next moment, we took the base64 of
Raid, updated with
Flag and appended the hash that was to be appended which was
So the final string that had to be sent to the server in
Bingo, modifying the request of
parent1 with the parameter of
Name filled gives us the flag
Reach me out on Twitter for more updates.
Enjoy Reading This Article?
Here are some more articles you might like to read next: