DamCTF2020 Writeup — Finger Warm Up & Hacker Camp

DAM CTF was held from October 10–12 2020. It was finished at #132 out of 446 teams solving 5 challenges out of 30. The challenges are about crypto, malware, misc, pwn, rev, and web. This is my 3rd-week joining online CTFs so I am pretty new at this. In this write-up, I am gonna explain as detail as possible how could I think that way so all the fresh meats in cybersecurity can understand the way I think because I am also fresh meat. Enjoy!

Finger-Warmup (Beginner)

In this challenge, we are introduced (as a beginner) to 2 interesting python libraries. First is requests and beautiful soup.

Requests library is often used (I do use a lot) to make requests to the web servers via python (not using a browser). The advantage of that is we can examine the response pretty quickly rather than using a browser.

Beautiful soup library is used for examining HTML/XML response. To be honest, I have not known the full potential of this tool, but I use it to examine HTML response.

The challenge want us to click over the link again and again. Actually you can solve it manually (if you are patient).

Response after you click the link before
Response after you click the link on the top image

This is my habit of doing cybersecurity challenges. I always do information gathering even if it obvious. To be honest, not all information is useful, but most of the time you will miss information if you skip the information-gathering part.

Always look for the source code using the inspect element or view source.

View Source of the Page
View Source after I click the Link

No special thing, no tricks, no hidden script, etc. From that piece of information, we know that the link redirects us to another same page format only different “next page” on a href part.

Look on the console. network, application/cookies do not give us any valuable information. I think this is obvious that we have to click all the way through the link. (What a nightmare for me who really hates repetitive tasks)

The idea that popped into my mind was, I need to automate this. That 2 libraries could help me. The strategy is simple. We make a request to the link, receive the response. We take that link and make a request again using that link, and so on until we somehow receive the page that contains ‘dam{‘ ( I’ll tell you why later).

Note: I did not solve it for the first time (and yes I waste about 2 hours), you can read on the mistake part.

So I made a script that looping endlessly and translating the strategy I prepared before.

Solution Source Code

This is not the most efficient code for solving the problem because I do not know how to print the response in a string format using urllib. I learn about beautiful soup on several web pages like this, this, and this.

Basically, the code will make requests to the “baseurl” since the “sublink” is empty. We will receive the response and check if there is “dam{“. The flag format is “dam{tH15_15_n0T_Th3_fl4g}“ so we just stop the loop if the response contains “dam{“. This logic is not good if the author makes some fake flags. Simply if the page does not contain “dam{“, we make the same request using urllib just for the beautifulsoup library can work (this is the not efficient part, but I do not have many options because I do not know how to examine the response in “string” using urllib). Anyway, after we get the response, beautifulsoup library will process and get us the value inside “href” attribute. We put the “href” value in sublink and do the request over and over again until we get the flag. It takes me 1 hour to get the flag.

I did not look at the challenge description. They gave us resources about requests and beautifulsoup library. I already understood the requests library since I had used them a lot. My first trial was not using beautifulsoup. I used string slice. The logic is the same but in order to get the “href” value, I used slice from the response.

Not working script

The reason why the attack was failed because I assumed the all links had same length but the reality they were not. The brilliant part of this challenge was the web did not throw 404 error if the page was not found. That is why I was trapped in the loop for 3 hours wondering why the script is running but I did not get anything.

How do I realize my mistake? I wonder why it took so long just to get the flag. On the script I printed the sublink and the response. When I look at the printed response, I found the odd that they keep repeating the same pattern like this.

http://baseurl.com/a
http://baseurl.com/b
http://baseurl.com/c
http://baseurl.com/a

Challenge Introduction

Natasha Drew wants to go to Hacker Camp but doesn’t have the grades she needs. Hack into the student portal and change her grades so she can attend.

The concept is clear that we need to login as the authorities, find Natasha Drew, change her grade.

Homepage

when I see this, the only thing that pops into my is “SQL Injection”, what a classic (haha). Back to the topic.

Looking at the source of the web, I did not see useful information or hidden scripts. Just a normal login form, no hidden links, etc.

Source code of Homepage

Because this is the only page we know without brute-forcing, I will start with this page. I try to login as default user like admin/admin, admin/root, no chance. I want to try Natasha Drew, but I do not know the format of the username and date of birth which is usually used for the default password. That is why I try to use SQL Injection, just the simple one and …….

Home page for teacher.

Back to the information gathering part, this is a new page hence we need to know more about this page.

Source Code (1/2)
Source Code (2/2)

YES! There is a lot of beautiful information on this page. What are those?

  1. data-id part on every student. Possibly a unique key to update the student
  2. var staf = {} that defines the logged-on user and their role
  3. /assets/js/app.min.js. Why is this interesting? The sole reason for me is because this script is hand-crafted by the author where most likely can be exploited somewhere.
app.min.js

I used js beautifier to make this piece of code readable

app.js (after beautifier)

Notes: Honestly, I did not take good looking at useful information number 2.

I jumped and examine directly on this app.js. There 2 functions there setuplinks and updateform.

The core point of setuplinks function is, if you are an admin, add onclick listener on every student so everytime you click the student, you can be redirected somewhere to update their grades.

The core point of updateform is, if the submit button is record, take the english, science, and math score. Check the scores whether the scores are between A-F and if it passes, go submit the form.

The setuplinks is interesting because there is no role checking when opening the update page. I tried to access them directly (https://hacker-camp.chals.damctf.xyz/update-student/TmFuY2llX0JyZXR0 . TmFuY2llX0JyZXR0 is from data-id on the student table) and ….

Update score form

I tried to update the scores…

After Submiting Update

Interesting, but you can understand it really fast. the URL is using number as identifer (7) whereas we are using data-id as identifier. (not our fault, it is the developer’s fault). If you modify the URL (https://hacker-camp.chals.damctf.xyz/update-student/TmFuY2llX0JyZXR0?updated=true), you can get the normal page back.

After fixing the URL

The most important point is we successfully update the score. This is the way.
Because of that, the concept is proven, I stop the information gathering.

The update part is proven works. Now we need to find the data-id for the Natasha Drew.

I made several strategies to find Natasha Drew ID

  1. We will try to log as another teacher to find our friend Natasha Drew.
  2. Try to dump student tables

NONE OF THOSE STRATEGIES IS WORKING. You can read them on the mistake part.

Again, I did not do information gathering that well. If I just examined slower, I can realize that the student-id was encoded in base64

Detailed Image of Students

If you only look at the first 2 data, you will not notice because it looks like a random identifier given when inserting student’s data. But, if you see the third and fourth data, there are trailing “=” which indicates this is base64 encoding of something. And the something is….

Base64 Decoding of Data-id

… darn it. It is a base64 encoding for FirstName_LastName. The next step you should do is to generate the base64 encoding of Natasha Drew (TmF0YXNoYV9EcmV3). Repeat the whole process and you will access the update-grade parts for Natasha Drew and you can update the score from there.

Welcome to Hacker Camp!

Before I get the idea of base64 encoding, I try to use SQL injection for another teacher.

‘ or 1=1 limit 2,1##asdf

Let me explain. The first apostrophe is basic in SQL injection. or 1=1 is for all true (it will fetch the whole data in the table) and limit 2,1 for taking the second data for 1 line. The ##asdf is for commenting the rest of the query. asdf is needed (at least for me) because when I try sql injection in phpmyadmin using — or #, I get an error that it can not have trailing apostrophe (‘) hence I used random string to justify it.

Logged as another user

It works and it gave me hope. I made a script for that because I did not know how many teachers are registered. Additionally, because we know that every time we log as a teacher the server will give us the list of students, we can try to find Natasha Drew.

Automated SQL Injection on Login Form

The script is saying, if there is any “Drew, Natasha” on the response text, stop because we have found the student (and we can get the data-id). But the name did not come up.

I also tried another thing that I want to get the database, table, column name for students. I assume that the “logged in as” part is just the first data that is queried.

1' and 1 != 1 union SELECT concat(schema_name),concat(schema_name),concat(schema_name),concat(schema_name) FROM information_schema.schemata##asdf

Unfortunately, the system does not allow us to do that. I think the logic behind it is, after the system gets the username, it uses the username to verify whether the username exists and it fails our injection logic because our injection result is database name which is obviously not registered on the teacher table.

That is the end of my web write-up. I only solve 2/4 challenges, unfortunately. I learn a lot from these challenges I solved, feel free to give suggestion for my post or my solution. To GOD Be the glory.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
joshuanatan

A humble learner of everything around IT especially in IT implementation, governance, risk management, and cybersecurity.