Camp CTF 2015 – websocket

Description

CTF: Camp CTF 2015
Title: websocket
Category: Web
Points: 100
URL: http://challs.campctf.ccc.ac:10116/
Description:
What does this service do? It hides a flag!

Solution

Screen Shot 2015-08-17 at 21.06.42

The page is quite empty, you only have a single form field to query “needles” in the haystack, i.e. database.

As expected with that title, all queries doesn’t use the standard HTTP protocol but websockets. Once the browser configured with BurpSuite, we could easily analyse the traffic.

Screen Shot 2015-08-14 at 18.18.09

After a few tries, it seems that the form was not vulnerable to SQLi or LFI. However, we found out that only up to 2 characters could be used.

queries

And sometimes only one.

query2

The letter “a” uses only one byte while “ยง” uses 2 bytes. We therefore deducted that the query accept only 2 bytes, which means in total, 2^16 = 65,536 possibilities*.

Let’s brute force that!

[* actually, it is 2^16 + 2^8 + 2^0]

 

After a few minutes, we get the following flag:

Screen Shot 2015-08-17 at 21.23.04

Flag: CAMP15_foobar_golden

Leave a Reply

Your email address will not be published. Required fields are marked *