More and more CTFs!!!!
Recently I've started diving into CTFs and trying my hand at some Bug Bounties. This means that I will need to be writing r...
For further actions, you may consider blocking this person and/or reporting abuse
Thank's @DaNail Coulthard for your Articles. I'm also started with Hacker101.
It's a pleasure to read your experiences with the course.
I even stuck on Flag 1, but with a little help from the Community I solved it in Burp Suite.
You can do it as following: Start a Request to the "edit"-Page and send the request to the "repeater". Be aware, that you have no cookies in your firefox from a current or previous login! (⇐ Thats was the Magic-Point for me!... if you have a cookie in your Headers, you got a "Bad Request"-Result).
In RAW or Headers-Tab change GET with POST. Then you got your Flag.
Hey Samuel.
Thanks for this different approaches to the v1 and v2 flags.
Great to learn more options of way to get flags
Bro I keep having Bad Request-Result even if I clean the cookies.
Can someone please help me.
Thank you in advanced!
I just found the solution it's a bit embarrassing heheh but anyways. When removing the cookies it ask's if you want to remove the cookies of today, hour ago, two hour ago and so on... etc. The option I choose is to remove all.
Hello! Also a newbe, started today and played with your login hack and did this:
and get the third Flag with your SQL Code. The first one for Username and the second for password.
I don't understand how it works, but maybe later..
Hi DaNeil,
I started doing CTFs yesterday, complete noob. Learned a lot from ur post. I did some research and learned SQL basics, some double SQL injection techniques. I think ur FLAG 2 worked like this: its an Error Based SQL injection. The intention is to produce some error that will leak information about the database, the count(), floor(rand()*2) a ... group by a will produce that KeyError because the interaction between group by(aggregation) and count(). Since we can see the error, we could add some information about the database in the concat(), which will become the key and produce KeyError and then gets displayed. The information we wanted simply came from information_schema. Then its basically iteration through the database.
I used a different method for Flag 2.
I used comparisons for the username and password substrings and then found them letter by letter.
The main idea is that you can use a comparison in the username and if it is true, you will get one error ("Invalid password") and if it is false you will get another ("unknown user"). So you can keep giving it comparisons and check the error result to find if it is true or not.
For example:
username=' OR 1=1;- -&password=
is true and therefore it passes the username check but fails the password check, resulting in "Invalid password"
But
username=' OR 1=2;- -&password=
is false and therefore fails the username check, resulting in "Unknown user".
So beginning by solving the username, I start with:
username=' OR Ascii(substring(username,1,1)) > 109;- -
password=
(Ascii(substring(n,n)) returns the ascii character code of the nth character in the string)
If the first letter of the username ascii code is greater than 109 (which is the letter m), then the comparison will be true and it will tell me "Invalid password" as the error. Now I can try:
username=' OR Ascii(substring(username,1,1)) > 115;- -
password=
If the character is not greater 115 (the letter s) the comparison will be false and it will give the "Unknown user" error instead. Now I know the the letter is greater than m and not greater than s, therefore it is between n and s.
You continue these comparisons until you find the exact letter. Then you move onto the next character
username=' OR Ascii(substring(username,2,2)) > 109;- -
password=
Now you're checking if the second character is greater than 109 (m).
Once you find a character that equals 0, you know you have hit the end of the string.
You repeat the same process for password:
username=' OR Ascii(substring(password,1,1)) > 109;- -
password=
I used Burp Suite for this to manually do it, but I'm sure you could write a script that did this faster using a binary search for each letter and just checking whether the response has "Invalid password" or "Unknown user" in it.
Flag1: I don't have burp so used an easier method. Go to the edit page, leave it open. Open a new tab (same URL), log out. In the edit page, hit save. Done.
That way, you're submitting an edit form without being logged in as admin, but it still works.
DaNeil,
Thank you for your article, I also didn't like that answer and wanted to come up with something simpler (to me). For that I went with a timing attack.
I've written it up on my blog blog.mstill.dev/0OpkO3J0T8SZgLDI87...
I rewrote my solution as I realised I don't need to use SLEEP.
See my follow up blog.mstill.dev/Cr1OdO4FTMq1Y7S5WN...
on flag 1 what was the hint about? what does it mean by saying "What actions could you perform as a regular user on the last level, which you can't now?"
I assumed that it was talking about how a regular users can only view pages but an admin can edit them and that is why the flag is on
/page/edit/2.It's saying that logged out users should not be able to edit pages, but in fact, if you can simulate the right POST request, it'll still go through, even when logged out.
This was so helpful. I just got lost on the last flag. can anyone help me