[00:29:12] <m0shbear> wow franku only go
[00:29:16] <m0shbear> ing in state this year?
[00:29:18] <m0shbear> soft@
[00:29:20] <m0shbear> !
[00:33:41] <gsingh93> anyone here a crypto genius?
[00:33:58] <gsingh93> our team has been struggling since shane realized there's more to life than CTFs
[00:34:02] <gsingh93> (he's wrong btw)
[00:36:22] <vishwin> lol
[00:43:14] <majora> lol
[00:43:21] <majora> no, and I'm still stuck on mfw q.q
[00:48:50] <gsingh93> broken box seems like an RSA fault attack
[00:48:52] <gsingh93> but nothing's working
[00:48:54] <gsingh93> majora: want a hint?
[00:49:30] <majora> I know I'm supposed to do an RCE but I'm a bit stuck on how to do that part
[00:50:05] <majora> I know code prevents local file inclusion and I've tried things like null bytes to help etc
[00:50:12] <majora> but a further hint would be helpful, yes
[00:50:32] <gsingh93> do you have the code?
[00:50:42] <gsingh93> the source, that is?
[00:50:48] <gsingh93> http://web.chal.csaw.io:8000/.git/config
[00:50:53] <majora> yes
[00:51:01] <majora> I looked at it and saw the check for ..
[02:18:09] *** Quits: majora (~majora@108.61.68.145) (Quit: Leaving)
[02:56:31] <vishwin> woot, my opensmtpd successfully sent and relayed its first email
[08:58:22] *** Joins: majora (~majora@gateway/vpn/privateinternetaccess/majora)
[11:13:53] *** Joins: jacobj (~jacobj@c-71-232-56-143.hsd1.ma.comcast.net)
[11:18:11] <majora> jacobj at it again
[11:18:12] <majora> :)
[12:33:45] *** Quits: majora (~majora@gateway/vpn/privateinternetaccess/majora) (Ping timeout: 248 seconds)
[12:49:34] *** Joins: majora (~majora@gateway/vpn/privateinternetaccess/majora)
[13:45:21] <jacobj> woh what i doing here
[13:45:27] <jacobj> i 4got about this irc
[13:45:29] <jacobj> ama
[13:46:59] <majora> lol
[15:09:23] *** Quits: jacobj (~jacobj@c-71-232-56-143.hsd1.ma.comcast.net) (Quit: My MacBook has gone to sleep. ZZZzzz…)
[15:19:51] <clinth> what the hell
[15:19:59] <majora> hm?
[15:21:11] <clinth> I wanted to switch the side of the fridge the door hinge is on
[15:21:28] <clinth> and everything was fine until there's like a torx screw on the top, just filling in an empty hole
[15:31:38] <vishwin> rekt
[15:41:07] <majora> lol fuck fridges, just move to alaska
[15:45:03] *** Joins: jacobj (~jacobj@c-71-232-56-143.hsd1.ma.comcast.net)
[20:36:15] *** Quits: jacobj (~jacobj@c-71-232-56-143.hsd1.ma.comcast.net) (Ping timeout: 272 seconds)
[20:42:23] <gsingh93> sivoais: you around?
[20:45:23] <majora> gsingh93 did you do coinslot lol
[20:45:38] <gsingh93> majora: a teammate did, yes
[20:45:41] <gsingh93> why?
[20:45:50] <majora> oh okay
[20:45:58] <majora> I was just wondering what I should look into doing for it
[20:46:05] <gsingh93> i heard it was easy, but you need to watch out for floating point errors
[20:46:26] <majora> interesting
[21:10:17] <majora> gsingh93: do you know if for wtf.sh(1) the special headers it return has a fact, is that a clue
[21:10:19] <majora> or like bogus
[21:11:01] <gsingh93> lol, i only do pwn and crypto, so i'm going to be very unhelpful here. but i heard from the solver of wtf.sh that his solution was probably not the intended solution
[21:11:25] <gsingh93> ian on the other hand only does web and crypto, so he might be a better person to ask
[21:20:19] <majora> oic
[21:20:30] <majora> well ian helped me a lot earlier
[21:20:35] <majora> so I don't intend on bothering me
[21:20:39] <majora> I'll fuck around more
[21:20:49] <majora> s/me/him
[21:20:49] <yossarian-bot> majora probably meant: I'll fuck around more
[21:26:12] <clinth> c.c what ctf are y'all talking about
[21:26:32] <clinth> and has anyone here done the NSA codebreaker challenge?
[21:34:29] <majora> csaw
[21:34:48] <clinth> oh shit i thought that was next week
[21:49:08] <sivoais> gsingh93: hey, I'm here now
[21:49:35] <gsingh93> sivoais: wanted to see if you had ideas for common mistakes with perl security
[21:49:42] <gsingh93> both ian and i don't know perl
[21:49:46] <gsingh93> and we're working on a problem
[21:49:52] <gsingh93> http://web.chal.csaw.io:8002/
[21:49:53] <yossarian-bot> Title: Perl Examples
[21:50:06] <gsingh93> i tried string interpolation on some inputs
[21:50:09] <gsingh93> i.e @{}
[21:50:15] <gsingh93> didn't work
[21:50:48] <sivoais> oh, hmm... I'm thinking they are using the old CGI.pm module
[21:52:17] <sivoais> lol, I see that the form doesn't escape HTML
[21:56:22] <sivoais> ok, so if you upload a text file, it prints it out
[21:58:09] <clinth> i feel like an idiot for not getting "mfw"
[22:00:25] <clinth> oh omg
[22:01:40] <gsingh93> sivoais: yup, but we don't know if that's exploitable
[22:06:34] <sivoais> are there any hints or is this it? :-P
[22:07:36] <gsingh93> sivoais: no hints
[22:07:55] <gsingh93> i think it's some kind of command injection specific to perl
[22:07:58] <gsingh93> but i'm not sure
[22:09:17] <gsingh93> so for example
[22:09:27] <gsingh93> let's say that there was a variable defined in the script called $q
[22:09:52] <gsingh93> could we do something like $q in a string? or some other syntax?
[22:10:14] <sivoais> interpolation like "$q" ?
[22:10:32] <sivoais> You can also do backticks (which is a possible way to attack this...)
[22:10:50] <sivoais> `cat $q` runs that command and returns the results as a string
[22:12:06] <gsingh93> hmm doesn't seem to work in the name or age field
[22:12:41] <sivoais> I was thinking the filename upload could be a way in
[22:15:21] <sivoais> oh dang, if they did the 2-args form of open, you can run shell stuff that way too
[22:16:07] <sivoais> open $file_handle, "cat /etc/passwd |";
[22:16:21] <sivoais> that would open the filehandle as a pipe
[22:16:59] <sivoais> and if they don't check the filename when doing: open $fh, $dangerous_filename
[22:17:06] <sivoais> they could be running code
[22:17:16] <sivoais> err, shell commands
[22:27:56] <sivoais> hmm, sending a file named "ls |" did not work
[22:29:20] <sivoais> It's running nginx, if that helps
[22:30:51] <sivoais> lol, wait
[22:31:14] <sivoais> If I upload something really large, I get a 418 running under "nginx/1.10.0 (Ubuntu)"
[22:31:22] <sivoais> 413, sorry
[22:31:50] <clinth> that's just an nginx error
[22:31:59] <clinth> doesn't even touch the perl if you're getting that error
[22:32:17] <sivoais> right, but when I go and try to get a 404, it says that it is running Apache
[22:32:38] <clinth> nginx reverse proxy or a legit clue? :S
[22:32:39] <sivoais> that's a little odd
[22:45:27] <sivoais> well, shellshock didn't work for me
[22:50:00] <clinth> have yall done the fuzyll recon?
[23:01:59] <majora> I haven't, I think samurai has tho
[23:10:22] <clinth> im stuck :p
[23:11:02] *** Quits: majora (~majora@gateway/vpn/privateinternetaccess/majora) (Quit: Leaving)
[23:24:09] <gsingh93> clinth: i helped out with the last few
[23:25:04] <clinth> were you involved in part 3 of it? :(
[23:27:51] <gsingh93> possibly
[23:27:59] <gsingh93> was that the first CTF challenge he solved?
[23:28:21] <clinth> yes
[23:28:29] <gsingh93> did you already get the ciphertext?
[23:28:35] <clinth> yes
[23:28:52] <gsingh93> anything stick out to you about that ciphertext?
[23:29:49] <clinth> nope lmao
[23:29:59] <gsingh93> something pretty obvious is going on
[23:30:07] <gsingh93> maybe look at it with `hd`?
[23:32:06] <clinth> yea 0x40?
[23:32:25] <gsingh93> yea
[23:32:26] <gsingh93> @
[23:32:34] <gsingh93> what about the spacing between those
[23:32:45] <gsingh93> do they seem large? short?
[23:34:56] <clinth> short lol
[23:35:10] <gsingh93> so if this is a cipher, what do you think the @'s are
[23:37:45] <gsingh93> lol, they're spaces
[23:37:50] <gsingh93> just do some frequency analysis
[23:38:19] <gsingh93> you can also use the fact that the start of every prompt is the same, but that doesn't help to much because they're all capital letters
[23:39:55] <clinth> oh, lmao
[23:53:07] <clinth> yea, I'm too tired to do this :p