Published on

Xpand CTF Qualification Round Web Writeup

Authors
  • avatar
    Name
    Amr Zaki
    Twitter

Xpand CTF Qualification Round Web Writeup

WEB 1

image

The first web challenge is Blackbox and a simple login function.

image

When I tried to log in with test:test I got auth faliure message and a demo accout creds.

image

Logging in with these credentials, we get to /private endpoint and get a JWT assigned as follows.

image
image

We notice the role in the payload and the fact that this role is reflected on the page, tells us that we need to change that to admin.

My teammate solved this one with the none algorithm as follows:

image

We got the flag in the /private endpoint.

image

Flag: Xpand{JS0N_W3B_T0K3N_!!!}

Web 2

This challenge confused a lot of people, me included, and it had 4 solves only.

image

In the description it was an obvious hint that the application was running on Ruby. The challenge link didn't provide any attack surface and was a static page.

image

There were nothing interesting at all in the source code. Looking at the request on burp we got the hint confirmed that the application indeed runs on Ruby.

image

I did some searching on the server's name and found a path traversal exploit (Link), but it didn't work. So, we started looking for Ruby 1.9.3 CVEs, and I came across an interesting one. (Link)

Article Link

This Awesome blog exploit the vulnerability step by a step, and I was able to get a shell on my ngrok server as root, the flag was in plain text in the docker file in the /app directory.

Flag: XPAND{I_L0V3_RUBY_0N R4IL$}

Web 3

Saving the best for last, this challenge was so fun to do, and I learned a knew thing while solving it.

image

Unlike the last 2, this was a Whitebox challenge, finally, and it has a register, login and display functions.

image
image
image

In the source code provided, we have the SQL database structure and admin username:

image

In user.php file, we have the functionality on the website. We have form validations and PDO prepare statement used in registering a user. But there's an interesting part in the source code in the login function.

image

As we see, this function has an SQL injection vulnerability, in the username variable. But there's a filter that escapes double-quotes and backslashes so any trial for basic SQLi authentication bypass won't work.

After some digging, on the vsprintf as it was my first time to see it. It seems like it a function used to format strings in php https://www.php.net/manual/en/function.vsprintf

A basic example on formatted strings would be something like this.

echo vsprintf("Hi my name is %s",["Z4ki"]);
// output
Hi my name is Z4ki

In the example, the array is replaced by the %s string format.

Back to the code, I noticed that there wasn't a format string in the function, but the password variable is passed in the array. So, if there is a format string in the username it would be replaced by the value of the password variable.

vsprintf("SELECT * FROM users WHERE `user_username` = %s AND `user_password` = :password", [$password]);

And tracing the code again, Double-quotes are only escaped in username variable

So, our final exploit would be somthing like this.

image

I got redirected, which means I'm authenticated. Finally let's do it for the admin username.

image
image

We got the flag. 🥳

Flag: Xpand{SQL!_F0R_TH3_W!N}

Discuss on Twitter