Lawful Evil (lawful_evil) wrote,
Lawful Evil

HackerOne CTF Micro CMS v2

Ok.. next challenge... they sort of took the previous one where you could create pages and edit them and wrapped it in a login screen so you have to log in to access them.

So... Fuck around with user name and password. After entering a funky character we find an error message :
Traceback (most recent call last):
  File "./", line 145, in do_login
    if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/", line 250, in execute
    self.errorhandler(self, exc, value)
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/", line 50, in defaulterrorhandler
    raise errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1")

Ok.. nice so... we see we have an admins database with username and password fields.

The basic idea is to use '; to end the previous statement, put in our own sql statement and then end with a comment character to get rid of the rest of the line.   That or we use ' and then additional text to modify the existing statement, but still terminate with comment to get rid of the unused part of the statement.   The base statement is grabbing the password from the table for the provided username.

I went way down the wrong way here... until I got a hint.   I found that I could drop the table and I tried to insert into the table and so forth.   None of that seemed to work.   I even tried to create other tables, to drop the original table and create a new one with known creds.... either I messed it up or there were protections to keep this from happening.   The hint was about union... so I went that route.

So... if we build a statement that returns some hardcoded text and then provide that same text as password, we will get logged in.    Used UNION to return 'foo' and boom.   First flag.   Also on that page is a hint to get 'the real login creds' ... crumb trail to the next flag?

While thinking about that... I played around and found I could post to page/edit/1 before I was logged in and got the next flag.   Also got a funky bit of base64 gunk as a session key... part of which decoded to json, {"admin" : "true"}     That might come in handy... Maybe I didn't need to log in and I just needed to set a session header like that?

Anyway... playing around with sql in the above statement...

SELECT password FROM admins WHERE username='' or password like "a%"# seems to return unknown user.. .but when I did it where it was LIKE "n%", that return invalid password.   So.. it seems I can figure out the password.   I played around with the %a, a%, and %a% type of combinations along with ' or LENGTH(password) = 4; statements and discovered that for me, the length was 6, it started with an n and ended with an e and contained e,i, k, l , n, o

Sweet, no duplicates... guessed, "nikole" and got it.    Now do the same for the username and found it had a, e, i, n, and r.   It started with i and ended with a and had 5 letters... so... "irena"?    Boom.  Logged in and got the flag.

Tags: challenges, cno, ctf, cybersecurity, tutorial

  • HackerOne CTF- Thermostat

    I wasn't sure what to expect with this one. The Thermostat. Android CTF... I didn't have a readily accessible android device... so initially…

  • HackerOne CTF Petshop Pro

    Easy and straightforward shopping. A couple items you can add to a cart and checkout. Playing with the cart a bit, we see that the cart/checkout…

  • HackerOne CTF Postbook

    Postbook... 7 flags at 4 points each. The page looks like it can have a post timeline for posts you create, a way to sign in, sign up, etc. After…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.