Saturday, April 4, 2015

UIUCTF 2015 - hype - Web Challenge

Didn't have time to do UIUCTF this year since it ran concurrently with NDH but I did this challenge to help a team member out who was doing it and it only took 15 minutes. It was a fun challenge called hype, worth 100 points.

With the challenge was a link to a website: and a link to a Youtube video

I didn't pay attention to the Youtube link but the website gave the following output:

 root@mankrik:~/uiu/hype# curl  
  * Your goal is to find the flag on this domain. *  
   "password": "uhnptlpq1j8yy2nrp7nmhfn7s1vgp4r"  
   "publicKey": "wzd7680uungk7u2jm9h0l49xsr38532dcdfvgd5qtcgt84suw8w0.k"  
   "password": "thonaeriecioloshoopaetefaiphuga"  
   "publicKey": "cuwf4rmtbkz1c94x3nmvj359cn8ww6146k17qvj2dx9spnxhtyq0.k"  
   "password": "fesijdojsdyrdyrdyrdyrdyrdyrdyr"  
   "publicKey": "kkm9h5my5tld01trzs3pt5szzsl462csnxj930kyxdn35gwj6150.k"  

Ok so we know the goal, but what to do. I tried connecting to the given hosts on the given port numbers but that seemed like the wrong direction so I Googled some of the information and began to learn just what "Hyperboria" is.
Hyperboria is a global decentralized network of "nodes" running cjdns software. The goal of Hyperboria is to provide an alternative to the internet with the principles of security, scalability and decentralization at the core. Anyone can participate in the network by locating a peer that is already connected.
Which leads us to the question of, what is CJDNS?
Cjdns implements an encrypted IPv6 network using public-key cryptography for address allocation and a distributed hash table for routing. This provides near-zero-configuration networking, and prevents many of the security and scalability issues that plague existing networks.
Ok. So it looks like what we have is a list of Hyperboria peers we need to use to access the website via it's Hyperboria IPv6 address.

I installed CJDNS, added the given nodes as peers and started the CJDNS routing daemon. The next step was just to connect to the site's IPv6 address which we learned via DNS:

 root@mankrik:~/uiu/hype# nslookup -type=AAAA  
 Non-authoritative answer:     has AAAA address fcbe:4b13:cb2d:6d85:b2e6:f8ec:d290:39b8  

And fired up firefox with the URL: http://[fcbe:4b13:cb2d:6d85:b2e6:f8ec:d290:39b8]/

Which gave us the flag:

No comments:

Post a Comment