Hack the North 2015 CTF Solutions

Congratulations to all who attempted the Hack the North 2015 CTF! This was a difficult CTF that covered a very wide range of topics. Not everyone was able to complete the CTF—indeed, most were not—but everyone made a great effort. We were impressed at the degree of collaboration, especially among the final victors, Joseph Roque, Jeffrey Deng, and Felix Mo.

Because of the length of this CTF, we are including a picture that describes the intended route, in graph form. Links indicate that a previous part is required to complete a future part. The graph is to be read from top to bottom. Red nodes indicate keys, blue ones indicate web portions, and green ones indicate SSH portions. Please excuse the poor quality of the SVG.

Start Employee Bank Don Admin Public Node Public Node IN #1 IN #5 IN #4 IN #2 Accounts Shamir Wes Kate Sierra Fred Coda

Solutions will be released gradually, starting from the beginning. At this stage, solutions for the employee portal, admin panel, and bank terminal have been released. If you have alternative solutions for any of these parts, feel free to share on #random!.

Start

View the message from the anonymous character. Take note, or record, the credentials and IP addresses, as these seem like they will be important in the future.

Employee

Observe the login screen. Enter the username jameson (provided earlier) and the password hunter72 (also provided earlier).

Next observe a screen with a single obvious link to proceed. Click this link and observe a retro-style webpage with again a single link. Click this link and observe a poorly-composed poem with a note that other poems are in this directory, /~dglenn/private. On some webservers, to access other files in a directory, one may simply enter the URL of the directory. Do this course of action to arrive at a directory listing with two new files, bluesky.txt (which unfortunately contains only another poorly-composed poem) and key.txt, which seems to contain useful information. Save this information for later.

Now, there is nothing more to observe in /~dglenn. Return to the employee panel, perhaps noticing that one remains logged in. Recall Jameson's statement that one must obtain access to the admin panel. Two ways may come to mind: log in as an admin, or pretend to have logged in as an admin. The first method seems fruitless; there is no other username and password in sight. The second method suggests investigating how the server keeps track of sessions. Observe that upon logging in, a cookie accesslevel is set. The name of this cookie seems to imply that it controls what privledges the employee has. Set this cookie to 2 with any method, and refresh the page.

Proceed to Admin.

Admin

At this point, there is one more link. Click it, and learn about the unusual security practices of the company. There is of course yet another link. Click it to observe a webpage that seems to be useless at this stage, but also seems to be the ultimate goal of the CTF. Observe that Don's key is likely one of five needed for this part.

Presently, there is nothing more to be done on this website. Navigate to the IP listed as the new website to proceed.

Bank

This part can be done at any time before the internal nodes, but because of its relative ease and convenient access, most chose to do it as soon as they completed the admin panel. Interestingly, this part was originally planned to take place after the internal nodes. However, because of how easy it was, it was bumped to the very start.

There are indeed two ways to solve bank. Observe that transfers of more money than exists in the account, which was most people's first plan, do not work. At this point, visualize an internal model of how the server verifies whether it is possible to transfer. The clear condition is that the amonut to be transferred must be less than the amount remaining in the account.

But wait! If that's the only condition, then what about transferring a negative amount? We can get $200 in Chequing simply by transferring −200 to Savings! And indeed, the server does not check that the amount must be positive, so one solution is simply transfer cs -200.

The alternative solution was heavily hinted at by the time needed to transfer funds. Obviously a server of our size does not really need ten seconds to update two numbers, so it would seem that the wait time is deliberate. Those who had heard of a story involving starbucks gift cards may be reminded of how race conditions can be employed to get more money. In this case, the obvious race condition is to send twice from savings to chequing, because it seems the numbers had not yet been updated—so the check of the second transfer way occur before the numbers update of the first transfer. Therefore, this method involves simply two separate commands of transfer sc 100.

At this point, simply withdraw to obtain your list of accounts. This list will be useful for every internal node.

Both methods can be used to gain an aribitrary amount of money in either account, but as a side note it seems that no method could be used to increase the total amount of money in both accounts. If anyone has another alternative solution that results in this superior outcome, feel free to share!