ECW 2017 - Web - Hall of Fame

The ECW 2017 is a French Jeopardy challenge organized by the “Pôle d’Excellence Cyber” in partnership with the “Région Bretagne”, Airbus and Thalès. Hall of Fame is a web challenge based on Union SQL Injection.

From 06/10 to 22/10 2017, the online challenge is used as a pre-selection for the final Capture The Flag challenge which will start the November 29th 2017 during the European Cyber Week conference in Rennes (France).

Discovery

The challenges starts with a page presenting the “Hall of Fame” of 2016 CTF edition, with an input field used to filter on name. Our first idea is to test for an injection.

hall_of_fame_1

SQL Injection

We can start by testing if the input field is vulnerable to SQL Injection.

pseudo='

No result here. We test again using ORDER BY instruction.

pseudo=' order by 1#

Nice ! We have something ! Normal behavior, no modification on the web page. The field seems to be vulnerable to SQL Injection. We can continue our investigations by increasing the number.

pseudo=' order by 6#
pseudo=' order by 7#

No return after 7. It means that the table has 7 columns. Now, we have to find the vulnerable columns. In order to do that, we can use the UNION instruction.

pseudo=' union select 1,2,3,4,5,6#
hall_of_fame_2

Perfect ! Now, we know that columns 3, 4 and 5 are vulnerable. So, we will have to inject.

Data exfiltration

We can now start to look for information inside the database. The first thing to do is to find the database name.

pseudo=' union select 1,2,3,table_name,5,6 from information_schema.tables where table_schema=database()#
hall_of_fame_3

Then, we can list table columns, using the same method.

hall_of_fame_4

Great ! a column named “password”… Interesting ! Let’s see what’s inside. The used request here is even simpler because it only requires the password column content.

pseudo=' union select 1,2,3,password,5,6 from users#
hall_of_fame_5

Hmm… It’s likely that the flag is one of these passwords… But, how can we find it ?

Two solutions :

  • Try them manually, one by one… :D

  • Try to find more information which could lead us to the solution

We are going to choose the second option, more educational and interesting for a write-up. If we come back to the previous result, before password, we can notice :

  • The classical display on the wall contains the rank, username and score.
  • Another column, named "comment" is not displayed.
Suspicious, let's see it's content.
pseudo=' union select 1,2,3,concat(comment,password),5,6 from users#
hall_of_fame_6

Getting the flag

Only one comment… Which is a reference in CTF creation. It seems that we have the flag ! ;)

After checking, it’s effectively the flag !

References

TamuCTF 2017 - Steganography - Musical Bits ECW 2017 - Web - Path Through