24th October 2021
Write-up Advent of CTF challenge 7

Write-Up Advent of CTF 7

Overview

The NOVI University Of Applied Sciences is offering an Advent CTF challenge for December 2020. The CTF is created by our community member of the Hackdewereld.nl and Chief Lecturer for Cyber Security at the NOVI University, Arjen Wiersma. If you want to participate in these CTF challenges, you can create an account on the website https://www.adventofctf.com/.

Challenge 6

  • Description: Santa has a naughty list, I wonder who is on it? I hope it is not the blind mice!
  • 700 points

Let’s start the challenge! After visiting the challenge URL https://07.adventofctf.com/, I’m landing on this page below. There is only a search bar visible.

Advent of CTF Challenge 7

Let’s start by putting in a single quote ' in the search field. But got no luck, no SQL error is popping up. The next step to test if this search bar is vulnerable to Blind SQL Injection. Unlike the ‘normal’ SQL Injection, Blind SQL injection leaves no error messages. To test if this search bar is vulnerable is looking at how the page behaves according to the statements are being given to the search bar. If we give a ‘True’ (Ex. 1=1) statement it gives me a valid page and when a ‘False’ (Ex. 1=2) statement is being given, it shows an invalid page. And by an invalid page, we mean that something is different on the page, a page which something we do not expect.

So, I start by sending a username' or'1'='1 , and got directly the flag! This was totally not expected. The flag: NOVI{bl1nd_sql1_is_naughty}.

Advent of CTF Challenge 7 flag
Advent of CTF flag 7

This was very easy. Was this intended? I don’t think so. The CTF creator had created an another additional challenge.

(Additional) Challenge 7

  • Challenge 7 had a very unintended easy solution. This was my mistake and it did not surface during playtesting. In order to make it worth your while to solve the challenge in the intended way, please enter the username of the user on the naughty list to receive some additional (possibly very important) points.
  • 250 points.

It’s the same website. We have already found the vulnerability. Let’s take this a step further and try to get the naughty username. First, we enumerate the number of columns with this SQL Injection 1' union select 1-- , according to the output, this statement is true.

Advent of CTF Additional Challenge 7
Output of the True statement

The next step is to enumerate the names of the tables. I came up with this SQL Injection 1' union select table_name from information_schema.tables-- .

Advent of CTF Additional Challenge 7 SQL Injection
SQL Injection enumeration of the table names

We get a lot of results back. Again, just like the previous challenge, interesting information can be seen at the end of the result. There is a database table with the name naughthy. Ok, we can now focus on this table name, to know which data we can pull out of this table, we need to be aware of the name of the columns. To get the column names of this table, we can use this SQL Injection: ' UNION SELECT column_name FROM information_schema.columns WHERE table_name = "naughty"-- .

Advent of CTF Additional Challenge 7 SQL Injection Column names
Column names from table naughty

The table naughty got three columns with the names id, username, and badthing. We can now build our last query to retrieve the information from this table. ' UNION SELECT group_concat(id,char(32),username,char(32),badthing) from naughty-- .

 Advent of CTF Additional Challenge 7 flag
Advent of CTF Additional Challenge 7 flag

Thanks for reading!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *