Google CTF 2016 – Ernst Echidna

Challenge Overview

This challenge from Google CTF 2016 involved a web application with a registration system. The target site was hosted at ernst-echidna.ctfcompetition.com.

Initial Discovery

Through basic reconnaissance, we found two key pieces of information: 1. The site had a registration page 2. By checking robots.txt, we discovered a restricted /admin page

Here's what the main pages looked like:

Understanding the Authentication

When registering with a username and password, the site sets a cookie named 'md5-hash'. Through investigation, I discovered this hash was actually an MD5 of the username. Here's a quick Python demonstration:

asdf = md5.new("aghadfadfadfa")
asdf.hexdigest()
'db8dc692ac403330f79d7e22b60213d5'

Testing this with a random username confirmed the cookie generation method:

The Solution

Armed with this knowledge, we could now: 1. Generate the MD5 hash of 'admin' 2. Set this hash as our cookie 3. Access the /admin page

Here's the command that gave us access to the flag:

curl -D https://ernst-echidna.ctfcompetition.com/admin --cookie md5-hash=21232f297a57a5a743894a0e4a801fc3

Beginner's Tips

As this was my first CTF challenge, here are some valuable lessons learned:

1. Master cURL

• Learn to follow redirects
• Understand cookie manipulation
• Get comfortable with different request types
• Know how to view response headers and data

2. Always Check robots.txt

• It's a common source of hidden information
• Multiple challenges in this CTF used this technique
• Part of standard web reconnaissance

3. Learn Common Encodings

• Familiarize yourself with:
• MD5 hashes (32 characters, hexadecimal)
• SHA hashes (various lengths)
• Base64 encoding (alphanumeric + '/+')
• Being able to recognize these patterns helps identify potential attack vectors