No cON Name CTF Quals 2014 - WEBster (200pts) writeup

The challenge description was: Super-secure cloud service.

It was one of the few where we actually had to do something online, when visiting https://ctf.noconname.org/webster/ we are greeted with a login page:

No cON Name CTF Quals 2014 - WEBster (200pts) writeup - 01

My first attempt was to see what happens if I enter a random login/password combo and oh surprise! test:test

No cON Name CTF Quals 2014 - WEBster (200pts) writeup - 02

So it seems we have some sort of online drive where a couple files are stored, let's check the content of flag.txt but I'm not really expecting anything from it:

Seems that you are not in the right place for that

Not in the right place? What does it mean? Let's quickly check the other files, .htaccess:

Order allow,deny Deny from all Satisfy all

README.md:

This is my own cloud storage service. I am trying to protect some files. Guess how :)

list.php source:

<?php
	echo "List";
?>

So yes, not much coming out of these files, what about the cookies?

Host:                 ctf.noconname.org
Name:                 loc
Path:                 /webster/
Content:              c869d000ef5c6fdfa128b058d2865512
Content raw:          c869d000ef5c6fdfa128b058d2865512
Expires:              At end of session
Expires raw:          0
Send for:             Any type of connection
Send for raw:         false
Created:              Sunday, September 14, 2014 9:29:30 PM
Created raw:          1410719369940000
Last accessed:        Sunday, September 14, 2014 9:31:23 PM
Last accessed raw:    1410719482552000
HTTP only:            No
HTTP only raw:        false
This domain only:     No
This domain only raw: false
Policy:               no information available
Policy raw:           0
Status:               no information available
Status raw:           0

There is a loc variable with the value c869d000ef5c6fdfa128b058d2865512. loc could be the location mentioned earlier. 32 bytes long, it could be a MD5, but a MD5 of what?

After trying a couple combo between the test username, password and IP. I ended up trying the MD5 of the IP only and behold: c869d000ef5c6fdfa128b058d2865512. The same location as the loc variable in the cookies.

A false sense of security would be to allow viewing specific files from the localhost only, so I changed the loc variable with the value of md5(127.0.0.1): f528764d624db129b32c21fbca0cb8d6

And I tried opening flag.txt:

NCN_f528764d624db129b32c21fbca0cb8d6

We got our flag:

NCN_f528764d624db129b32c21fbca0cb8d6

It was the last flag I found for No cON Name CTF Quals 2014.