Nightxade: CTF Writeups

Writeups | Solutions | Blog

1337

Babygame01
[100] <pwn/> <out-of-bounds/>
Buffer Overflow 2
[300] <pwn/> <buffer-overflow/> <ret-to-win/> <args-on-stack/> <gets/>
Buffer Overflow 3
[300] <pwn/> <buffer-overflow/> <stack-canary/> <ret-to-win/> <byte-by-byte/>
Flag Leak
[300] <pwn/> <format-strings/> <%p/>
Rps
[200] <pwn/> <strstr/>
X Sixty What
[200] <pwn/> <x64/> <buffer-overflow/>
Aes Abc
[400] <crypto/> <aes/>
B00tl3grsa2
[400] <crypto/> <rsa/>
B00tl3grsa3
[450] <crypto/> <rsa/> <multi-prime/>
College Rowing Team
[250] <crypto/> <rsa/> <unpadded/>
Compress And Attack
[130] <crypto/> <zlib/> <Salsa20/> <brute-force/>
John Pollard
[500] <crypto/> <rsa/> <certificate/>
Mini Rsa (both)
[300] <crypto/> <rsa/> <brute-force/> <small-e/>
New Vignere
[300] <crypto/> <vigenere/> <bits/>
Nsa Backdoor
[500] <crypto/> <diffie-hellman/> <rsa/> <smooth-primes/> <pollard-attack/>
Rsa Pop Quiz
[200] <crypto/> <rsa/>
Scrambled Rsa
[140] <crypto/> <rsa/> <brute-force/> <byte-by-byte/>
Sra
[400] <crypto/> <rsa/> <factorization/> <brute-force/>
Sum O Primes
[400] <crypto/> <rsa/>
Very Smooth
[300] <crypto/> <rsa/> <smooth-primes/> <pollard-attack/>
Waves Over Lambda
[300] <crypto/> <monoalphabetic-substitution/>
Operation Oni
[300] <forensics/> <disk/> <permissions/>
Operation Orchid
[400] <forensics/> <disk/> <openssl/>
Sidechannel
[400] <forensics/> <side-channel/> <timing/>
Whitepages
[250] <forensics/> <unicode/> <binary/>
Otp Implementation
[300] <rev/> <otp/> <byte-by-byte/>
Reverse Cipher
[300] <rev/>
Irish Name Repo 1
[300] <web/> <sql-injection/>
Irish Name Repo 2
[350] <web/> <sql-injection/>
Irish Name Repo 3
[400] <web/> <sql-injection/> <curl/>
Roboto Sans
[200] <web/> <robots.txt/>
Secrets
[200] <web/> <curl/>

picoCTF

Irish Name Repo 2 [350 pts]

Challenge Description:

There is a website running at https://jupiter.challenges.picoctf.org/problem/53751/ (link). Someone has bypassed the login before, and now it’s being strengthened. Try to see if you can still login! or http://jupiter.challenges.picoctf.org:53751

Using the same input as in Irish-Name-Repo 1 returns the following: “SQLi detected.” So it seems like we can’t include any SQL in our parameters.
Instead, however, maybe we can exploit SQL comments!

The SQL for this challenge is likely similar, i.e.

SELECT * FROM admin_table WHERE username = '[username]' AND password = '[password]'

(Note that this can actually be confirmed by setting the debug parameter to 1 using a tool such as Burp Suite or simply Terminal)

Hence, in the username input, we can input admin'--, which will change the SQL to this:

SELECT * FROM admin_table WHERE username = 'admin''-- AND password = ''

The -- is an SQL comment, and comments out the rest of the SQL such that it never checks if the password is correct. Enter the input in, and get your flag!

picoCTF{m0R3_SQL_plz_c34df170}