2 Unfortunately I didn't have much time on this weekend so I couldn't play many challenges. Also, I was playing on saturday evening, so both of the challenges I solved where already solved by team mates.
3 I was looking for some (more more less) short and easy challenges and I found two which I will describe in this writeup. I also tried some others (`Option-Cmd-U` and `Beeeeeeeeeer`) but not long enough to be mentioned in this writeup.
6 I am usually not into crypto challenges (Still have bad memories about that mitm-crypto challenge of the InetSec course. Just kidding, was a nice challenge @cluosh), however this challenge had many solves in comparison to the others, so I tried my luck.
7 Turned out that this was quite an easy challenge, as you had the source code of an encryption script, where you could simply do the steps the other way round:
11 from Crypto.Cipher import AES
14 def decrypt(key, text):
16 for i in range(len(text)):
17 s += chr((((ord(text[i]) - 0x20) - (ord(key[i % len(key)]) - 0x20)) % (0x7e - 0x20 + 1)) + 0x20)
24 dec1 = base64.b64decode(text)
25 cipher = AES.new(key2 + chr(0x00) * (16 - (len(key2) % 16)), AES.MODE_ECB)
26 p = 16 - (len(dec1) % 16)
27 dec2 = cipher.decrypt(dec1 + chr(p) * p)
28 print decrypt(key1, dec2)
31 My script only works with python 2 and adds gibberish at the end of the output, but the flag was correct so I didn't correct it.
33 Flag: `SECCON{Success_Decryption_Yeah_Yeah_SECCON}`
37 This web page displays some RFCs with the possibility to filter them. You can enter a search term and the page filters the entries accordingly.
38 When I saw the page for the first time, I tried out the search function. I entered something like "random" because I saw some RFC with the text "randomly". After I pressed "Search", the text in the text field changed to "rom" which was really weird. After a few seconds and with the thought that there could be a SQL injection vulnerability, I grasped that the SQL keyword `AND` was removed in my search term. I confirmed that by trying a few other search terms containing the `OR` and `AND` keywords.
40 Now I tried SQL commands like `'OR '1'='1` but I had to find a way to bypass the removal of SQL keywords. I entered something like `'OORR '1'='1` and somehow the middle `OR` gets removed but then one `OR` is still remaining, so the first step was made.
41 Second problem I had to solve was that whitespaces are also removed. Luckily I remembered one trick from the IntroSec course, where whitespaces can be replaced with a comment (`/**/`).
42 Unfortunately, no secret messages or something were shown so I played around with my query a little bit.
43 I added a comment after it with `#` because `--` led to an error: `'OORR/**/'1'='1'#`
45 Now I finally got something to see:
48 The flag is "SECCON{Yeah_Sqli_Success_" ... well, the rest of flag is in "flag" table. Try more!
50 I then tried some UNION commands. But when I tried to use `'OORR/**/'1'='0'/**/UNION/**/SELECT/**/1,1,1#` I saw that commas are removed. So I had to use a UNION command without commas using JOINS to find out the number of columns:
52 'OORR/**/'1'='0'/**/UNION/**/SELECT/**/*FROM/**/(SELECT/**/1)/**/AS/**/a/**/JOIN/**/(SELECT/**/1)/**/AS/**/b/**/JOIN/**/(SELECT/**/1)/**/AS/**/c#`
54 I tried this command with one and two columns before and got errors. When I tried it with three columns the query was successful, so I knew that three specified columns were needed for the query to succeed.
57 'OORR/**/'1'='0'/**/UNION/**/SELECT/**/*FROM/**/(SELECT/**/*FROM/**/flag)/**/AS/**/a/**/JOIN/**/(SELECT/**/1)/**/AS/**/b/**/JOIN/**/(SELECT/**/1)/**/AS/**/c#`
59 and it succeeded. I got to see this on the bottom of the page:
64 I didn't think this would work as I didn't know the number of columns of the flag table. Apparently it only has one column so my payload works. Otherwise I would have had to get the names of the columns via the `INFORMATION_SCHEMA` table.
66 Now I can simply concatenate those two pieces of the flag: `SECCON{Yeah_Sqli_Success_You_Win_Yeah}`
SomeNet / public repos / pub / jan / ctf-seminar.git / blob