Last Saturday I took part in IIT Delhi’s DevCTF, and since it was an IIT event I was really excited to participate and score some points. The event started at 5:00 PM IST Saturday and lasted till 5:00 PM, Sunday. When the event began in the evening, I was travelling with my family and had to solve challenges while travelling. I didn’t let the circumstances be an excuse and started hacking right away while sitting in the car. In the end, I managed to solve 2 web challenges and made it to the top 50. The following is my writeup for the challenge “The Sequel” which I found really exciting and worth sharing a writeup for.
Challenge Introduction
Challenge Name: The Sequel
Category: Web
Points: 18
The Sequel challenge was one of the few web challenges in the event, which really seemed a little minimal in comparison to all other web challenges that were there. The challenge was to hack a login page and get the flag.
Can you hack this super secret login page???
When I looked around the challenge, there was a simple web page with a login field, with username and password section.
The first thing that I did was to look at the source code and get an understanding of how the code was implemented. The source code was pretty simple, classic html and nothing more. Then I proceeded with a regular web pentesting approach, I filled in random information and intercepted the request with burp, to understand how requests and responses were being sent and received. It was pretty straightforward, username and password parameter over post request.
At this point, an absurd idea struck my mind that brute-forcing is the way. And the next moment I started intruder and relaxed for a while that all work is done. When I couldn’t get any right credentials through brute force, and my naïve assumption, I lost hope for a while. After a break, I changed my approach and remembered that I’m solving a CTF challenge and not pentesting on a real web application. Then the curtain of ignorance fell, and I contemplated a while at the title. It was “The Sequel”, so obviously, I was supposed to deal with SQL Injection.
Foothold
Now I knew that I was walking down the right way. The next thing I did was find a vulnerable parameter to get the injection running. I used the classic apostrophe mark to test for vulnerable parameter. And thanks to portswigger labs, where we learned SQL injection and many other web vulnerabilities. This is where I felt how experience can dramatically shape our approach and methodology.
The moment I passed an apostrophe at the username parameter, the application threw a SQL syntax error as expected. Now I had a parameter to inject my payload in, all I needed was a right payload to do the trick. This is where the hint genuinely helped. The hint mentioned that it has something to do with “EXTRACTVALUE” function. Upon research, I was positive that I am dealing with an XPATH Injection. Then I a built a mal-query that got me the name of the current database.
username' and extractvalue(0x0a,concat(0x0a,(select database())))--
I used a random username and appended my apostrophe, which was followed by my above payload. The application returned a syntax error, and as expected the current database.
This was half the job done. Since I wanted to save my time and I’m not a fan of manual work and hit and trial based upon error dumps, I took the automated way through here. I fired my SQLMAP and smartly made my way to the flag.
Getting The Flag
I had all the things I required for sqlmap to derive the flag; a vulnerable parameter, the name of the database, and mind. All I needed now was the cookie of my session. I went straight to developer tools in my browser and got the cookie from the storage tab.
Now I forged my commands as I progressed. I had the database, now I needed tables.
sqlmap -u "https://web.ctf.devclub.in/web/1/login.php" --cookie="PHPSESSID=3hrbh2mb8iafls3391knpug1tc" --forms -D web1_db --tables
I got the name of the table, which was “tbl_users”. Now I went ahead to get the columns.
sqlmap -u "https://web.ctf.devclub.in/web/1/login.php" --cookie="PHPSESSID=3hrbh2mb8iafls3391knpug1tc" --forms -D web1_db -T tbl_users --columns
I got the column names, and then I dumped all the entries.
sqlmap -u "https://web.ctf.devclub.in/web/1/login.php" --cookie="PHPSESSID=3hrbh2mb8iafls3391knpug1tc" --forms -D web1_db -T tbl_users --columns --dump
And I finally got the username and password to log in and get the flag. But to my surprise, the developer was smart and passwords were stored in hashes.
Upon a glance at the hash, it was easy to tell that it was a plain MD5 Hash, but I wanted to be sure so I confirmed it with the hash-identifier utility in kali.
I went ahead and cracked the hash within my sqlmap instance with rockyou.txt. And fortunately, the thrilling expedition came to end with a smile on my face and the cracked password, which was “wildspirit”
A week or two later I received my certificate of achievement for making it in the top 10.