From efabe654d096a3f854e463324d0bdb0cfba6cec0 Mon Sep 17 00:00:00 2001 From: Paul Kalauner Date: Sun, 27 Oct 2019 23:49:38 +0100 Subject: [PATCH] Add toaster/seccon19 writeup --- writeups/toaster/seccon19.md | 66 ++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 writeups/toaster/seccon19.md diff --git a/writeups/toaster/seccon19.md b/writeups/toaster/seccon19.md new file mode 100644 index 0000000..db43773 --- /dev/null +++ b/writeups/toaster/seccon19.md @@ -0,0 +1,66 @@ +# SECCON 2019 +Unfortunately I didn't have much time on this weekend so I couldn't play many challenges. Also, I was playing on saturday evening, so both of the challenges I solved where already solved by team mates. +I was looking for some (more more less) short and easy challenges and I found two which I will describe in this writeup. I also tried some others (`Option-Cmd-U` and `Beeeeeeeeeer`) but not long enough to be mentioned in this writeup. + +#### coffee_break +I am usually not into crypto challenges (Still have bad memories about that mitm-crypto challenge of the InetSec course. Just kidding, was a nice challenge @cluosh), however this challenge had many solves in comparison to the others, so I tried my luck. +Turned out that this was quite an easy challenge, as you had the source code of an encryption script, where you could simply do the steps the other way round: + +```python +import sys +from Crypto.Cipher import AES +import base64 + +def decrypt(key, text): + s = '' + for i in range(len(text)): + s += chr((((ord(text[i]) - 0x20) - (ord(key[i % len(key)]) - 0x20)) % (0x7e - 0x20 + 1)) + 0x20) + return s + +key1 = "SECCON" +key2 = "seccon2019" +text = sys.argv[1] + +dec1 = base64.b64decode(text) +cipher = AES.new(key2 + chr(0x00) * (16 - (len(key2) % 16)), AES.MODE_ECB) +p = 16 - (len(dec1) % 16) +dec2 = cipher.decrypt(dec1 + chr(p) * p) +print decrypt(key1, dec2) +``` + +My script only works with python 2 and adds gibberish at the end of the output, but the flag was correct so I didn't correct it. + +Flag: `SECCON{Success_Decryption_Yeah_Yeah_SECCON}` + + +#### web_search +This web page displays some RFCs with the possibility to filter them. You can enter a search term and the page filters the entries accordingly. +When I saw the page for the first time, I tried out the search function. I entered something like "random" because I saw some RFC with the text "randomly". After I pressed "Search", the text in the text field changed to "rom" which was really weird. After a few seconds and with the thought that there could be a SQL injection vulnerability, I grasped that the SQL keyword `AND` was removed in my search term. I confirmed that by trying a few other search terms containing the `OR` and `AND` keywords. + +Now I tried SQL commands like `'OR '1'='1` but I had to find a way to bypass the removal of SQL keywords. I entered something like `'OORR '1'='1` and somehow the middle `OR` gets removed but then one `OR` is still remaining, so the first step was made. +Second problem I had to solve was that whitespaces are also removed. Luckily I remembered one trick from the IntroSec course, where whitespaces can be replaced with a comment (`/**/`). +Unfortunately, no secret messages or something were shown so I played around with my query a little bit. +I added a comment after it with `#` because `--` led to an error: `'OORR/**/'1'='1'#` + +Now I finally got something to see: +``` +FLAG +The flag is "SECCON{Yeah_Sqli_Success_" ... well, the rest of flag is in "flag" table. Try more! +``` +I then tried some UNION commands. But when I tried to use `'OORR/**/'1'='0'/**/UNION/**/SELECT/**/1,1,1#` I saw that commas are removed. So I had to use a UNION command without commas using JOINS to find out the number of columns: +```sql +'OORR/**/'1'='0'/**/UNION/**/SELECT/**/*FROM/**/(SELECT/**/1)/**/AS/**/a/**/JOIN/**/(SELECT/**/1)/**/AS/**/b/**/JOIN/**/(SELECT/**/1)/**/AS/**/c#` +``` +I tried this command with one and two columns before and got errors. When I tried it with three columns the query was successful, so I knew that three specified columns were needed for the query to succeed. +So now I simply tried +```sql +'OORR/**/'1'='0'/**/UNION/**/SELECT/**/*FROM/**/(SELECT/**/*FROM/**/flag)/**/AS/**/a/**/JOIN/**/(SELECT/**/1)/**/AS/**/b/**/JOIN/**/(SELECT/**/1)/**/AS/**/c#` +``` +and it succeeded. I got to see this on the bottom of the page: +``` +You_Win_Yeah} +1 +``` +I didn't think this would work as I didn't know the number of columns of the flag table. Apparently it only has one column so my payload works. Otherwise I would have had to get the names of the columns via the `INFORMATION_SCHEMA` table. + +Now I can simply concatenate those two pieces of the flag: `SECCON{Yeah_Sqli_Success_You_Win_Yeah}` -- 2.43.0