Solution:See if you can steal the admin's duck print and validate it!When calculating the SHA, leave the periods inhttp://130.211.242.26:31337
1. This challenge have 3 pages (Register, Generate, Validate), The goal is calculate token and valid admin to get the flag.
2. Register with username "ichz"
3. Try to generate token from my user, and see my username, admin status = 0, token, generated token.
4. Generated token format is sha256(b64(username) + "." + b64(cookie) + "." + b64(token)), Where is admin username and admin token?
5. View source of Generate page and found comment that tell me a SQL query statement on line 24, Yes it vulnerable to SQL Injection!
6. Try to insert a simple ' or '1'='1'-- -, I get all registered user and one of Admin! (DuckDuckGoose), admin position = 1, token = d4rkw1ng
8. In the cookies, I found duck_cookie is a JSON format and set to %7B%22username%22%3A%22ichz%22%2C%22admin%22%3A0%7D%0A, Try to change a cookie to %7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A by Web Developer Tool on Google Chrome and access this page again.
9. Back to generated token format is sha256(b64(username) + "." + b64(cookie) + "." + b64(token)), Finally done I get a username, token from SQL Injection vulnerability.
- sha256(b64('DuckDuckGoose') + "." + b64('%7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A') + "." + b64('d4rkw1ng'))
- sha256('RHVja0R1Y2tHb29zZQ==.JTdCJTIydXNlcm5hbWUlMjIlM0ElMjJEdWNrRHVja0dvb3NlJTIyJTJDJTIyYWRtaW4lMjIlM0ExJTdE.ZDRya3cxbmc=')
- sha256: 29fb251184e9eadb3eb7a1790ecd1dd945525b1f50b56b261e01d9e2429cbe8b
10. Access to Validate page and submit generated token to get a flag.
Flag: TUCTF{Quacky_McQuackerface}
ไม่มีความคิดเห็น:
แสดงความคิดเห็น