6th March 2021
Write-up Advent of CTF challenge 5

Write-Up Advent of CTF 5

Overview

The NOVI University Of Applied Sciences is offering an Advent CTF challenge for December 2020. The CTF is created by our community member of the Hackdewereld.nl and Chief Lecturer for Cyber Security at the NOVI University, Arjen Wiersma. If you want to participate in these CTF challenges, you can create an account on the website https://www.adventofctf.com/.

Challenge 5

  • Description: Again a login form stands in your way. What powerful ‘hacker’ tool will help you proceed?
  • 500 points

Let’s start with the fifth challenge! After entering the CTF URL, I got redirected to a login page. At the bottom of the login form, there is the message visible: ‘A classic, with a twist.’ When I come across a login form, I try a basic SQL Injection, by first placing a single quote (‘) in the login form. Then, I try to use this SQL Injection:

username: ' OR '1'='1';
password: ' OR '1'='1';

There is a MySQL error visible. This login form is vulnerable for SQL Injection.

Advent of CTF Challenge 5 SQL Injection
SQL error, means that the login form is vulnerable for SQL Injection

Most websites have a connection to a MySQL database at the back-end. This MySQL stores information that can be requested by the website at the front-end to show the information to the requester. The usernames and passwords are also stored in this database. If the programmer did not securely build the code on the website, an attacker can manipulate the MySQL query from the website to the MySQL database, it allows an attacker to view data that they are not normally able to retrieve.

A basic query, for a login form, can be as follows:

SELECT * FROM users where username='admin' and password='mypassword'

As I already said, this login form is vulnerable for SQL Injection. The data I put in the form, evaluates to the SQL query:

SELECT * FROM users where username='admin' AND TRUE

It takes the row where the username is ‘admin’ and says that the password is always TRUE. But, I receive an SQL error, so I have to find an another way to login to this server.

Solution

I tried some SQL injections but received SQL errors. After trying further, the solution is to comment out the SQL query, before it evaluates the password. So, I filled in the username admin' -- Space after the comment is intended, read here the explanation on the knowledgebase of MariaDB: https://mariadb.com/kb/en/comment-syntax/. It doesn’t matter which password you will use, because that part will be handled as a comment.

With this payload, the actual query will be:

SELECT * FROM users where username='admin'-- and password='mypassword'

After hitting the ‘Submit’ button, I’m logged in and can retrieve the flag: NOVI{th3_classics_with_a_7wis7}.

Advent of CTF Challenge 5 Basic SQL Injection
Advent of CTF Challenge 5 flag

Thanks for reading!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *