DEFCON 21 CTF Writeup：3dub 1

3dub 1：badmedicine

In this problem, we only see a login form.

After we login with some username. We get the login successful page.

But it show that "the key is only for the admin"

And if we try to login with admin. The message "admin login disabled" showed.

Then we return to login by other account and observe the behavior of web page by tamper data.

With tamper data, we observe the cookie "username" was set.

After try to login with different username

admin1 : 09c8259ca01f

admiN  : 09c8259c80

We can find that most part of cookie are the same and only differ lightly.

Therefore we can guess that cookies are encrypt by xor operator.

Finally we can find the cookie of admin

admin : 09c8259ca0

Then we change the value of cookie and resend the page to get the key.

reference

there are some write up about this problem.

http://forum4hackers.blogspot.tw/2013/06/defcon-2013-3dub-1-2-and-4-web-writeup.html

http://blogs.univ-poitiers.fr/e-laize/2013/06/17/dc21_3dub_1/

https://cesena.ing2.unibo.it/2013/06/17/def-con-2013-badmedicine-3dub-2/

http://scoding.de/defcon-ctf-2013-writeup-3dub-1/

http://nullify-ctf.blogspot.tw/2013/06/3dub-1-def-con-quals-2013-writeup.html