Tue, Jun 08, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Our next realistic mission asks us to hack into the grade system of a school and change the grade for our client. He supplies us with his login information and that is all that we are given.
I will approach the begining of this mission as I did the last two missions, evaluating the website and trying to note anything interesting that I can find. The homepage of this website has nothing of importance, other than the hidden login button for teachers. This is accessible directly underneath the staff photo on the left side of the website. They attempted to hide it in an empty image as a link. Otherwise, from the homepage, we can also access the staff listing - which gives their direct emails - and a student login portal. The login form for the student portal sends a GET request to student.php that returns a webpage with which we can access the student’s grades. The interesting observation to be made so far is that this request is made as a GET request with any and all identification on filtering done through the query string with URL encoding as defined by #RFC2396. This website uses no cookies whatsoever in relation to student authentication.
Instantly, my first reaction is that the URL is exploitable with possible SQL injection. Otherwise, my first step is to figure out which courses he is taking, to figure out which grades need to be changed. The following list is the current courses that the client is taking:
Looking through the staff listing, here is a mapping to the possible teachers for these courses:
| Course | Teacher |
|---|---|
| Mathematics | Adam Smith, Alfred Johnson, Gordon Freeman, Jonathan Goodman, Matthew Howard, Tristen Terell |
| English Composition | Emily Reeves, Jenifer Smith |
| Bible Study | Jonathan Goodman |
| Gym | Ann Feldman |
| Computer | Steven Florence |
From here, it is still unclear as to the direction that I must move forward with in order to complete this challenge. Trying out some basic SQL injection in the student.php webpage to see if it is possible to access the student information without entering the real password leads to nowhere. This is clearly not the correct way to move forward.
Taking a step backwards, I noticed something interesting about the staff listing webpage. Each staff member is given an ID, with Samantha Miller being given ID number 1. In theory, this would suggest that Samantha Miller is the administrator of this website. So, if we were to try and infiltrate any account, it should be hers. Taking note of her email address, smiller@holycross.edu, we will try to login as her account. Since we know that the previous student.php form is not susceptible to SQL injection, I can assume that this form is also not susceptible. But a quick try will never hurt. Sadly, it is not as easy as I wish it were to be. Since the students do not use email addresses to login, it is unlikely that the staff use their full email address to login. I will be attempting to brute force into the account smiller. After trying many basic passwords, I finally was able to access the account using the password smiller. Upon loging in, I am presented with the following message:
Welcome, Mrs. Samantha Miller! Please remember that access to the staff administration area is restricted to the district-supplied 'holy_teacher' web browser.
Furthermore, there are several cookies that have been set after loging in: {name: "Mrs.+Samantha+Miller", password: "smiller", admin: "0", username: "smiller"}. In order to move forward, I must change my user-agent to holy_teacher; doing this on a Chromium-based browser is quite easy by changing the device beside the ‘select element’ tool and creating a custom one. After doing this, we are presented with the proper staff portal. We can see that there are 3 functionalities: {Check Messages, Submit Grades, Change Grades}. Under ‘Change Grades’ it is also listed that we are not an administrator and we are not allowed to change grades. Inspecting the source code, we can see that the ‘Change Grades’ form has a hidden field that is commented out that sets the action to changegrades. Clicking the buttons, we can see that this teacher doesn’t have any messages, and that it is too late into the school year to set grades. This suggests that our target is to uncomment this input within the ‘Change Grades’ form. Uncommenting this input field, we get a different outcome than from having it commented. Previously, it would simply redirect back to staff.php, whereas now it says the following:
Our records are indicating that you are not an administrator, Mrs. Samantha Miller. You will not be able to change grades
Perhaps this can be bypassed by changing the admin cookie to 1 prior to submitting the form with the uncommented input field present. Doing so has changed the output once again for this form. We are now presented with a listing of students. Our client’s name links to the following URL: staff.php?action=changegrades&changeaction=viewstudent&studentid=1. Clicking this link, we are then presented with another webpage with what seems to be a table that allows to edit grades and comments, although, on the bottom of the page it is written:
Sorry, it is too late into the school year to change grades now. The grades will be printed and mailed in just a few days.
Inspecting the table, I can see that each row is a form, and the submit button is simply commented out. This would suggest that we can still change the grades if we uncomment the submit buttons. Although, the form closing tag is right after the opening, and direct modification on the browser is not easily done. Perhaps we can simply add the form fields to the embedded URL of the form and do it directly through the browser. Changing the first ‘0’ grade, Bible Study semester 2, with the URL: staff.php?action=changegrades&changeaction=modrec&rec=0&studentid=1&grade=5&comments=holiest+of+holy does indeed result with a changed grade. I will now do the same to all other grades that are at 0 or 1. After this, all failing grades have been changed and the mission has been completed!
I will see you all in the next one.