4rth4s's Security Blog: [picoCTF2019][WEB EXPLOITATION] WRITE-UP !

SO , THIS IS VERY FIRST TIME MY NEW TEAM TAKE PART IN A CTF COMPETITION [PICOCTF]

I MAKE THIS WRITE-UP AS THE NOTE FOR ALL WEB-CHALLENGE I HAD SOLVED THROUGH PICOCTF COMPETITION

1 . Insp3ct0r - Points: 50

IT'S VERY CLEARLY . WE HAVE TO LOOK INTO THE SOURCE CODE OF THIS CHALL AND LOOK FOR THE FLAG . FIRST , PRESS f12 BUTTON !

TAKE A LOOK→ 3 FILES (index , my js.js , mycss.css) WE EASILY HAVE A FLAG picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?2717d7be}

2. dont-use-client-side - Points: 100

AS USUAL , WE TAKE A LOOK INTO SOURCE CODE - RIGHT-CLICK ON OUR WEB BROWSER → VIEW PAGE SOURCE . HERE IS THE THING WE MUST LOOK CAREFULLY

LET'S PUZZLE ! :D FLAG : picoCTF{no_clients_plz_577431}

3.logon - Points: 100
FIRST OF ALL , A LOGIN FORM APPEARS

TRY TO ACCESS IT BY ADMIN:ADMIN

I THINK WE MUST "ADMIN" TO RECEIVE THE FLAG . LET'S CHECK THE COOKIE

OKAY ! WE SHOULD EDIT THE VALUE "False"→"True" . RELOAD THE PAGE .... THE FLAG RIGHT HERE !

FLAG picoCTF{th3_c0nsp1r4cy_l1v3s_2e19dad3}

4.where are the robots - Points: 100

SIMPLY , WE MUST READ THE FILE "robots.txt" visit this URL

let's check "/e0779.html" path!

BINGO! HERE IS THE FLAG picoCTF{ca1cu1at1ng_Mach1n3s_e0779}

5. picobrowser - Points: 200

HERE IS THE CHALL :

WE TRY TO GET THE FLAG BY CLICKING "FLAG" BUTTON . SO :

You're not picobrowser! Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

WE NEED TO CHANGE OUT BROWSER TO "picobrowser" ! THIS STUFF QUIET SIMPLE! CHECK THE PICTURE BELOW

WE SIMPLY CHECK OUT USER-AGENT AND EDIT IT ,SO PICO SERVER TRIGGER OUR BROWSER → picobrowser .

User agents are unique to every visitor on the web. They reveal a catalogue of technical data about the device and software that the visitor is using

AND THE RESULT COMES UP!

FLAG picoCTF{p1c0_s3cr3t_ag3nt_3e1c0ea2}

6.Open-to-admins - Points: 200

FOLLOW THE HINT ,

This secure website allows users to access the flag only if they are admin and if the time is exactly 1400.

We should change the cookie or add values to it exactly ( admin : true , time : 1400)

seem ez! , let's try with Edit the cookie !

that's it! . we had the flag Flag picoCTF{0p3n_t0_adm1n5_2e8d3883}

7.Client-side-again - Points: 200

CLEARLY , WE MUST VIEW THE SOURCE CODE AND FIND THE CREDENTIAL OR FLAG IN IT . LET'S VIEW THE PAGE SOURCE !

COPY THE CODE AND BEAUTIFY IT ! :D

AND WE SHOULD FOCUS ON THIS ! SIMPLY ,LET'S PUZZLE ! :D

FLAG picoCTF{not_this_again_b25df2}

8.Irish-Name-Repo 1 - Points: 300

This is the first challenge of Irish-Name-repo series (SQL injection type) How to know that ? let's check it .

This is the intro page of challenge ! as usual , we should take a look through the webpage , and click to view the login form .

Ctrl + U to view the source code clearly . we should realize this stuff

what would happen if we changed the value = 1? let's check it out !

and we try to login this form using admin:admin , so the results comes :

LOGIN FAILED ! BUT IT'S NOT A BIG DEAL . THE "DEBUG MACHINE" WORKS! . SO WE KNOWS THE TYPES OF THE CHALLENGE - ABOUT SQL INJECTION . CHECK THE QUERY AND IF YOU KNEW ABOUT THE SQL INJECTION , IT'S NOT DIFFICULT TO BYPASS . BASICALLY , WE MUST INJECT THE ALWAYS-TRUE CONDITION TO THE QUERY . LET'S USE

admin' or 1=1--

THE LOGIN FORM WILL BE BYPASSED IF THE CONDITION "1=1" IS TRUE ! AND THE " - - " COMMENT IS HERE TO ESCAPE THE REST OF THE QUERY . SO THIS GIVE US THE RESULT

ALMOST DONE , LET'S SUBMIT THE FLAG AND GET 300 POINTS :D

Flag picoCTF{s0m3_SQL_93e76603}

9.Irish-Name-Repo 2 - Points: 350

THE MAIN PAGE OF THIS CHALLLENGE IS SIMILAR TO VERSE 1 .. OFCOURSE WE SHOULD CHECK THE LOGIN FORM ( MAY BE IT'S STILL SQL INJECTION)

NO MORE CHANGE ABOUT THE FORM OF CHALLENGE , SO WE SHOULD GO ON AND FIND THE DIFFERENT ! LET'S FUZZ THE FORM BY THE CLASSIC QUERY !

admin' or 1=1--

THE DEBUG MACHINE WORKS! AND HERE COMES THE RESULT

AFTER HAD TESTED SOME QUERIES , I REALIZED THAT THIS FORM IS FILTERED , IF WE INPUT " OR , ORDER , SELECT , .." , THE ALERT IS ON AND NOTIFY (SQLi DETECTED) . SO , I DECIDED TO TRY ANOTHER QUERY WITH "AND"

admin' and 1=1--

OR SIMPLY USE THIS QUERY :D

admin' --

IT WORKED ! SUBMIT THE FLAG picoCTF{m0R3_SQL_plz_c1c3dff7} AND GET POINT!!

10.Irish-Name-Repo 3 - Points: 400

Similar to Irish Repo 1 & 2 , we find the form login , but this time a little bit different

It only has password field ! View the source code , "debug machine" still here . :D .

Let try the familiar query :D

admin' or 1=1 --

:D . as you see , the true query appeared !

nqzva' be 1=1 --

let's submit it !

ez 400 points . flag picoCTF{3v3n_m0r3_SQL_ef7eac2f} !

11.JaWT Scratchpad - Points: 400

This challenge is related to JWT ( JSON web token) .

For further information , please google it ! :D

OKAY. TAKE A LOOK AT THE MAIN PAGE OF THIS CHALL

AS YOU CAN SEE , WE CAN USE ANY NAME TO LOGIN . TRY IT !

AND WE ALREADY LOGGED IN BY MY NAME ! SO , IF YOU READ ABOUT JWT , WE WOULD CHECK THE COOKIE OF THIS PAGE . USE BURP , ZAP , WHATEVER TO VIEW THE COOKIE . AND HERE IS IT :

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiNFJUSDRTIn0.JE04tWX38GNLmzyl-oZkgzvKdvTs-LN3LFs3wVvQ6lo

SO, WE REALIZE THIS FORM OF COOKIE IS JWT WHICH IS SEPARATE INTO 3 PARTS . :D . LET'S DEBUG IT IN https://jwt.io/ . AND HERE IS THE RESULT .

THIS JWT TOKEN BASE ON HS256 ALGORITHM . IF WE WANT TO HANDLE THIS JWT TOKEN , WE MUST KNOW ABOUT "SECRET KEY" IN IT . SO LET USE SOME TOOLS OR CODE TO FIND IT ! AT THIS TIME , I USE jwt_tool :D AND THE MOST POPULAR WORDLIST rockyou.txt TO BRUTEFORCE THIS SECERET KEY !

AFTER 7 MINUTES , THE SECRET KEY COMES UP :D

NOW WE HAVE

ilovepico

AS THE SECRET KEY OF THIS HS256 JWT TOKEN . LET'S PUT IT INTO SECRET KEY FIELD IN SIGNATURE , AND CHANGE THE USERNAME INTO "ADMIN" TO CREATE THE NEW JWT TOKEN THAT CAN BYPASS THIS CHALLENGE ! HERE IS IT :

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4ifQ.gtqDl4jVDvNbEe_JYEZTN19Vx6X9NNZtRVbKPBkhO-s

LET SEND THIS JWT TOKEN AS A COOKIE VALUE TO THE SERVER

SAVE IT , RELOAD THE PAGE AND HERE COME THE RESULT!!

submit the flag

picoCTF{jawt_was_just_what_you_thought_6ba7694bcc36bdd4fdaf010b2ec1c2c3} for 400 points :D

12.Empire1 - Points: 400

THIS CHALL TAKES ME 2 DAYS TO DETERMINE THE ISSUE AND HOW TO SOLVED IT . IT'S ABOUT SQL INJECTION (AGAIN) :D

LET'S GET STARTED !

WE MUST LOGIN OR REGISTER (IF YOU DONT HAVE AN ACCOUNT) TO LOOK THROUGH THIS WEBSITE . HERE IS IT .

IF YOU INPUT ANYTHING IN TODO-FIELD , IT WILL APPEAR IN YOUR TODO TAB :D . FOR EXAMPLE . I ADD "dad" and "DAD" TO TODO-FIELD AND GET THE RESULT :

AFTER SEARCHING AND TRYING DIFFERENT STRATEGIES, I REALIZE THAT THE PAGE IS VULNERABLE TO SQL INJECTION (SQLITE DATABASE) , HERE IS THE SYNTAX

'||(SQL)||'

LET'S INJECT SOME INTERESTING STUFF IN THIS SYNTAX . FIRST OF ALL , I TRY TO LEAK THE NAME OF THE MAIN TABLE OF THIS DATABASE .

'||(SELECT group_concat(tbl_name) from sqlite_master)||'

AND RECEIVE THE RESULT

IT'S ALL THE TABLE WE HAVE . :D . IN MY OPINION , WE SHOULD FOCUS ON THE TABLE "user" :D .TRY TO LEAK ALL COLUMN IN IT

'||(SELECT group_concat(sql) from sqlite_master where tbl_name = 'user')||'

RESULT :

FOLLOW THE HINT OF THIS CHALL , WE SHOULD TRY TO LEAK THE SECRET-COLUMN TO GET THE FLAG .

'||(SELECT group_concat(secret) from user)||'

BINGO! THE FLAG COMES UP !!!!

SUBMIT FLAG picoCTF{wh00t_it_a_sql_injectdf389592} FOR 4OO POINTS !

13. cereal hacker 1 - Points: 450

A LOGIN FORM APPEARS . FILLING IN THIS FORM ADMIN:ADMIN BUT NOT SUCCEED , I TRY GUEST:GUEST :

LOGGED IN ! BUT NOTHING HAPPEN ! LET'S TAKE A LOOK INTO SOURCE CODE AND COOKIE!

THERE IS NOTHING USEFUL IN SOURCE CODE , BUT I FIGURE OUT THE ENCODED COOKIE

LOOK THROUGH THIS COOKIE

TzoxMToicGVybWlzc2lvbnMiOjI6e3M6ODoidXNlcm5hbWUiO3M6NToiZ3Vlc3QiO3M6ODoicGFzc3dvcmQiO3M6NToiZ3Vlc3QiO30%253D

IT HAS %25 , SO I DECIDE TO DECODE IT BY BASE64-URL DECODE TOOL .AND HERE IS THE RESULT

O:11:"permissions":2:{s:8:"username";s:5:"guest";s:8:"password";s:5:"guest";}

IT'S ABSOLUTELY OBJECT INJECION TYPE ! I TRIED TO INJECT IT BY CHANGE THE USERNAME AND PASSWORD GUEST → ADMIN . BUT IT DIDNT WORK . AFTER MANY TIMES SEARCHING AND TESTING , I REALIZED THAT WE NEED TO INJECT THE PASSWORD VALUE USING THE BASIC SQL INJECTION QUERY .

O:11:"permissions":2:{s:8:"username";s:5:"admin";s:8:"password";s:11:"' or '1'='1";}

LET'S DECODE IT TO BASE64 FORM

TzoxMToicGVybWlzc2lvbnMiOjI6e3M6ODoidXNlcm5hbWUiO3M6NToiYWRtaW4iO3M6ODoicGFzc3dvcmQiO3M6MTE6Iicgb3IgJzEnPScxIjt9

AND SIMPLY SEND IT AS THE COOKIE TO SERVER

REFRESH IT AND COME BACK TO THE LOGIN PAGE

BINGO . SUBMIT THE FLAG

picoCTF{5a1aa7dfd74a9b67bc5844b8245c9d2e}

FOR 450 POINTS !

14 . Empire2 - Points: 450

SIMILAR TO EMPIRE 1 , THIS CHALL FORCE US TO REGISTER AND LOGIN FOR DEEP RESEARCH .

WE MUST FIND THE VULNERABLITIES WITH ALMOST NO HINTS . SO , AFTER MANY TIMES FUZZ TODO FIELD , I KNOW THAT THIS FIELD IS VULNERABLE TO SSTI INJECTION . EXAMPLE PAYLOAD