Thu, Jan 07, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Our next realistic mission is to post some messages to the main page of a racist hate group’s forum. Which truly is quite the racist hate group. We are meant to access their administration page in order to post a message to their website.
Going onto the website, we can see that there doesn’t seem to be any login feature, nor a posting feature available for anyone to login. Inspecting the page leads to no forms of any kind that are present on the page. However, at th very bottom of the page, there is an anchor tag to a script/page marked udpate.php with the text ‘update’ that has been masqueraded by setting the font colour to be the same as the background colour. Lets me see what happens why I click this update link.
This has lead me to a page with a login form that send a post request to a update2.php script with a username and password. There is also no abnormal cookies being used on this login page. There is no obvious hints as to the username/password combo, and just to check that its not some basic password we will try the following combinations:
Upon entering any of those combinations we are redirected to another page that says we have entered an invalid combo with no error messages exposing their username/password functionality, neither any other information.
Going back to the original website we can see that the posts show whom they were posted by, we have two users: WhiteKing and Jones. We can try to use these as usernames - hoping that this website simply uses those as it’s unique identifiers and not emails. After trying both usernames with a bunch of basic passwords, I was not able to login into either of the accounts.
Lets move onto another attack vector, perhaps this login form is susceptible to SQL injection - assusming it is using SQL for their user database. We can try to see if they are using SQL and posting their error messages by giving an input that would break the statement, as such we will put ' or test into the username. This in turn does give us the notification “SQL error” which confirms our suspicions that they are using SQL for their user management. Typically, user management is done through a single line, so what we can do is try to a string that would always be true regardless of the username/password combo. An example would be using ' or 1=1-- as a username. This would evaluate to something like Select * from Users Where username='' or 1=1-- and password = ''. What this statment means is: select all users where username is blank or true, and anything after – is treated as an inline comment. Thus, this statement returns all users which should in theory allow me to login if they simply check if a return exists for this statement. Voila!
We have successfuly loged in and have been redirected to a ‘Go on’ button meaning the mission has been completed.