TU CTF 2016: Duckprint (Web) Write-up

Descriptions:

See if you can steal the admin's duck print and validate it!

When calculating the SHA, leave the periods in

http://130.211.242.26:31337

Solution: 

1. This challenge have 3 pages (Register, Generate, Validate), The goal is calculate token and valid admin to get the flag.

2. Register with username "ichz"

3. Try to generate token from my user, and see my username, admin status = 0, token, generated token.

4. Generated token format is sha256(b64(username) + "." + b64(cookie) + "." + b64(token)), Where is admin username and admin token?

5. View source of Generate page and found comment that tell me a SQL query statement on line 24, Yes it vulnerable to SQL Injection!

6. Try to insert a simple ' or '1'='1'-- -, I get all registered user and one of Admin! (DuckDuckGoose), admin position = 1, token = d4rkw1ng

7. Go to Validate page, and get some notice that not have permission to access it, Cannot access.

8. In the cookies, I found duck_cookie is a JSON format and set to %7B%22username%22%3A%22ichz%22%2C%22admin%22%3A0%7D%0A, Try to change a cookie to %7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A by Web Developer Tool on Google Chrome and access this page again.

9. Back to generated token format is sha256(b64(username) + "." + b64(cookie) + "." + b64(token)), Finally done I get a username, token from SQL Injection vulnerability.

- sha256(b64('DuckDuckGoose') + "." + b64('%7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A') + "." + b64('d4rkw1ng'))

- sha256('RHVja0R1Y2tHb29zZQ==.JTdCJTIydXNlcm5hbWUlMjIlM0ElMjJEdWNrRHVja0dvb3NlJTIyJTJDJTIyYWRtaW4lMjIlM0ExJTdE.ZDRya3cxbmc=')

- sha256: 29fb251184e9eadb3eb7a1790ecd1dd945525b1f50b56b261e01d9e2429cbe8b

10. Access to Validate page and submit generated token to get a flag.

Flag: TUCTF{Quacky_McQuackerface}

TU CTF 2016: Student Grades (Web) Write-up

Descriptions:

We are trying to find out what our grade was, but we don't seem to be in the database...

Can you help us out?

http://104.199.151.39/index.html

Solution: 

1. "in the database..." on description make me sure, It about SQL Injection.

2. Index page have a input of name that want to show grade.

3. View source in index.html and get some script.

4. In line 46 is vulnerable to SQL Injection but in line 50 means the data will send with md5 to postQuery.php by ajax.

5. In Response tab, I found some comment that tell me a SQL query statement.

6. Write a python script to get data in each step, Found Database: tuctf, Tables: tuctf_grades, tuctf_info, tuctf_junk Columns: item, value and Flag store in tuctf_info.

7. select value from tuctf_info

Python Script:

Flag: TUCTF{v4ccinate_y0ur_databa5e5}