Aug 15, 2020
Promotion CTF
Peace upon you guys, today I will go in details and explain how to get the flag of Promotion challenge of ascwargames which was held from 14/8 to 15/8
the challenge was relying on some Owasp top 10 like xxe sqli and some filter bypasses, so with all that being said lets get started
first, when we open the challenge link we got that blank page
at first glance, if we check the request it uses a JWT as an authorization header
after decoding it with https://jwt.io/ we got role: “user”
so what we do, I have tried changing algorithm to “none”, brute-forcing the key and unfortunately none of them get worked so let’s move on
but accept header has some interesting values it accepts XML and some other stuff
got it ? XXE!! i grabbed some payload from GitHub and yeah i was able to read /etc/passwd
but it’s not a network challenge passwd will not be useful for us, what about reading challenge files since we will have to use PHP wrapper with base64 flag to manage to read the files
and gotcha!! we got it after decoding it we got that interesting chunk of code
it set a COOKIE called auth with the value of JWT and encode it with the key variable, then when we send a request it decodes it, check if role is admin, if so, it redirects us to login.php, else we stay in the same page
since we have read access let’s read login.php also
and it seems we got some filters here to SQL syntax words and some checks of regular PHP login page if we in, we got welcome admin
so as you guess it sqli time but it’s blind here as it not printing any user input just if creds true if print “welcome admin”
so the trick here is that we have admin username and we need a password maybe it’s the flag as however if we got the right pass it also will print “welcome admin” so we can solve it 2 ways common one is coding some script and check server response but here i am going to use burp intruder with cluster bomb type.
first of all we need to craft a valid payload:
1-all this filters haven’t /g global search keyword meaning it only remove regex word one time if we make a payload containing “oorr” it will remove the insider or and hence we bypassed it
2-password keyword has an or inside it so if we used the same “passpasswordword” it will become “passpasswdwd” so i made a php script with 2 filters to “or” and “password”
and after some tries we got it “passwpasswoorrdoorrd”
3- white-spaces and + sign was blocked so we used carriage return, SQL query was like $sql = “SELECT COUNT(*) FROM users Where username = (‘$username’) AND password = (‘’)$password’)”; so first we close the qoute and bracket ‘) and start our subsrting payload
2-substring key word in SQL syntax works as following substring($string,first_char,number_of_chars)=”intended char” so if the first char of password is the first char of flag that condition should return true substring(password,1,1)=”A” as the flag format is ASCWG{ so we can start from position 7 in our payload
admin’)%0doorr%odsubstring(passwpasswoorrdoorrd,1,1)=”a”#
now we need to send that request to burb intruder and with cluster bomb first payload will be numbers second will be all printable strings
i got all printable chars from string lib in python
now it’s time to run our intruder attack and watch the response
now we just need to collect the flag
note: i have a small problem that burp intruder was’t distinguishing between upper and lower case so after collecting the flag i asked support to justify it and they were very helpful
and that’s it, at the end i want to thank all people who arranged that great competition and being helpful to that extent and finally i want to say “You’re the best”
thank you for reading! hope you enjoyed it…
you can find me on twitter @0xMohamed_Ayad
also, Linkedin @0xmh3yad
