หน้าเว็บ

วันจันทร์ที่ 16 พฤษภาคม พ.ศ. 2559

TU CTF 2016: Duckprint (Web) Write-up


Descriptions:
See if you can steal the admin's duck print and validate it!
When calculating the SHA, leave the periods in
http://130.211.242.26:31337
Solution: 

1. This challenge have 3 pages (Register, Generate, Validate), The goal is calculate token and valid admin to get the flag.

2. Register with username "ichz"

3. Try to generate token from my user, and see my username, admin status = 0, token, generated token.


4. Generated token format is sha256(b64(username) + "." + b64(cookie) + "." + b64(token)), Where is admin username and admin token?

5. View source of Generate page and found comment that tell me a SQL query statement on line 24, Yes it vulnerable to SQL Injection!


6. Try to insert a simple ' or '1'='1'-- -, I get all registered user and one of Admin! (DuckDuckGoose), admin position = 1, token = d4rkw1ng


7. Go to Validate page, and get some notice that not have permission to access it, Cannot access.

8. In the cookies, I found duck_cookie is a JSON format and set to %7B%22username%22%3A%22ichz%22%2C%22admin%22%3A0%7D%0A, Try to change a cookie to %7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A by Web Developer Tool on Google Chrome and access this page again.

9. Back to generated token format is sha256(b64(username) + "." + b64(cookie) + "." + b64(token)), Finally done I get a username, token from SQL Injection vulnerability.

- sha256(b64('DuckDuckGoose') + "." + b64('%7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A') + "." + b64('d4rkw1ng'))

- sha256('RHVja0R1Y2tHb29zZQ==.JTdCJTIydXNlcm5hbWUlMjIlM0ElMjJEdWNrRHVja0dvb3NlJTIyJTJDJTIyYWRtaW4lMjIlM0ExJTdE.ZDRya3cxbmc=')

- sha256: 29fb251184e9eadb3eb7a1790ecd1dd945525b1f50b56b261e01d9e2429cbe8b

10. Access to Validate page and submit generated token to get a flag.

Flag: TUCTF{Quacky_McQuackerface}

ไม่มีความคิดเห็น:

โพสต์ความคิดเห็น