search
githubEdit

X marks the spot

hashtag
Problem

Another login you have to bypass. Maybe you can find an injection that works? http://mercury.picoctf.net:16521/arrow-up-right

hashtag
Solution

  1. The challenge says this is an XPATH injection. We can try the standard payload blah' or 1=1 or 'a'='a from OWASParrow-up-right and see if we can sign in. This results in a message saying You're on the right path., so it looks like our query succeeded. However, we did not get redirected to an application so this looks like a "blind XPATH injection."

  2. HackTricksarrow-up-right is a good resource here. Their XPATH Injection articlearrow-up-right explains the basics of XPATH and even has an example script to execute a blind XPATH injection attack. This script was the basis of my solve scriptarrow-up-right.

  3. Essentially, when the You're on the right path. message is shown, we know our query returned a true value and otherwise our query was false. We can modify the query using or to join the login query with a special query and then tell XPATH to ignore the rest of the login query.

  4. By using ' or string-length(//user[position()=3]/pass)=4 or ''=' we can check if the length of the pass field of the 3rd user element in document is 4. I guessed that the password field would be called pass because that is the name of the form element in the website's HTML. The position()=3 was manually checked by scanning each position starting at 1. If the name of the field is unknown, a query such as the following could be used instead: ' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''='. We can bruteforce the 4 in this case and determine the length of the 3rd user's password.

  5. Once we know the length of the password/flag, we can use ' or substring(//user[position()=3]/pass,<position>,1)="<character>" or ''='where <position> is the position in the string and <character> is the character we are checking. We loop though all the possible characters at position 0 until the You're on the right path. message is shown. When that loop is complete, we will know the first letter of the password/flag. We can continue doing this for each character of the password/flag until we reach the length we found in the previous step.

  6. The solve scriptarrow-up-right executes the above scripts to determine the flag character by character. Depending on your internet connection (how fast you can send requests to the server), the script may take a few minutes (≈4 minutes maximum) to run.

hashtag
Flag

picoCTF{h0p3fully_u_t0ok_th3_r1ght_xp4th_28cb0023}

PreviousWho are you?

Last updated