33C3CTF : web200-pay2win

Do you have enough money to buy the flag?
http://78.46.224.78:5000/

Solution

The web application list two products to buy..

Cheap

Which you can buy with valid card generated here

Flag

Accept the valid card but return a limit exceeded error message:

Analyzing callback data

When the order is accepted/declined you get a callback data parameter from the server..

Cheap callback

http://78.46.224.78:5000/payment/callback?data=5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8de817b1d05ac501928df361f896eb3c3706cda0474915040
Hello, customer!
Payment status: good
Filename: cheap.txt
Content: MAKE C3 HACK AGAIN!

Flag callback

http://78.46.224.78:5000/payment/callback?data=232c66210158dfb23a2eda5cc945a0a9650c1ed0fa0a08f6d80475334bb8e8a1aef38fd25e8ce9872f7ef761e2bbe791
Hello, customer!
Payment status: failed
Credit card limit exceeded!

After running a data sequencer(unique) in the flag callback data, we could notice that there was not much entropy.

Comparing it next to the flag callback was noticeable that in fact it was divided in 3 blocks..

So after a lot of trial and error moving the blocks in different positions we got the one that made the purchase of the flag.

The buy formula

buyflagcallback = (cheapblock[1] + cheapblock[2] + flagblock[2] + flag_block[3])

buyflag_callback = 5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c86a5c7ef475a00033472741d1bbc3c34f2f7ef761e2bbe791

http://78.46.224.78:5000/payment/callback?data=5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c86a5c7ef475a00033472741d1bbc3c34f2f7ef761e2bbe791
Payment status: good
Filename: flag.txt
Content: 
Flag: 33C3_CENSORED
comments powered by Disqus

Bitcoin Donate 3C1wt7a83sHf2AnutNZF22nXPZubGKdi2m