Category: Web

Points: 10

Description:

https://sql-mayham.openctf.com/ziopxuoiwquyerhnszpasdyvzlkxcjlwerqwer/sql-10/

When 1 is entered it returns the following row:

Enter a badge number to view that officers file:1
(1, 'bob', 'simmons', 'none')

Performing a basic sql injection we got the same row back but no error. The server only returns 1 row

Enter a badge number to view that officers file:1 or 1=1
(1, 'bob', 'simmons', 'none')

Entering an ID of 2 no results are found.

Enter a badge number to view that officers file:2 
None

Using the sql injection an OR was added to say “id>2”

Enter a badge number to view that officers file:2 or id>2
(152135123451, 'flag', 'flag', 'Th@tW@53@5yHuh')

This returns the flag in the one other row in the database

Flag

Th@tW@53@5yHuh

Category: OSINT

Points: 100

Description:

We heard word that The Plague escaped prison three weeks ago. We've been notified that he was recently seen on soundcloud liking a song by ytcracker called "hacker music." Let us know what you find.

First perform a search on soundcloud.com for “ytcracker hacker music” then go to likes. https://soundcloud.com/ytcracker/ytcracker-hacker-music/likes

Go to ThePlague2018x’s profile

https://soundcloud.com/user-843651506

The next clue seemed to be to go to the website on ThePlague2018x’s website which is the following

https://exit.sc/?url=https%3A%2F%2FNjY2YzYxNjc3Yjc0Njg0NTUyNjU1ZjY5NzM1ZjRlMzA1ZjcyMzE0NzY4NzQ1ZjYxNGU0NDVmNTc1MjMwNmU0NzVmNzQ2ODMzNTI2NTVmMzE3MzVmNGY0ZTZjNzk1ZjQ2NzU0ZTVmNDE2ZTY0NWY0MjMwNzI2OTRlNDc3ZAo.com%2Fhome

Extract the string after the hex values “%3A%2F%2F” to “.com” the value between this is the following

666c61677b74684552655f69735f4e305f72314768745f614e445f5752306e475f74683352655f31735f4f4e6c795f46754e5f416e645f423072694e477d

Looking at the string it seems to be hex so encode to hex to get the flag.

>>> '666c61677b74684552655f69735f4e305f72314768745f614e445f5752306e475f74683352655f31735f4f4e6c795f46754e5f416e645f423072694e477d'.decode('hex')
'flag{thERe_is_N0_r1Ght_aND_WR0nG_th3Re_1s_ONly_FuN_And_B0riNG}'

Flag

flag{thERe_is_N0_r1Ght_aND_WR0nG_th3Re_1s_ONly_FuN_And_B0riNG}

Category: Web

Points: 300

Description:

It's free, as in baby.

Host: ab743120bb6ae11e7ac800aee00def00-1664391948.eu-central-1.elb.amazonaws.com

Note

The BSidesPDX organizers have made the source code for all of their challenges freely available so that you can run them at home and follow along. You can find more information here.

Investigation

Upon loading the screen, we are presented with a file upload and a button to make a jpeg icon. We also note that the version string indicates it was made in 2016, with a version of Version 2016.3717. After playing around with it for a little while, I thought about how there was that ImageMagick bug last year that let you execute code remotely. I wasn’t sure it would work, but it was worth a shot.

As I hunted down the ImageMagick bug, it became painfully apparent that the Version string provided to us was also the CVE number associated with the ImageTragick bug.

From the ImageTragick site, I decided to take the read_file.mvg file and tweak it to meet my needs.

push graphic-context
viewbox 0 0 64 48
image over 0,0 0,0 'label:@/flag'
pop graphic-context

I suspected that the flag would be in /flag since we had solved other challenges where the flag was in /flag. Luckily I was right, and upon upload I was presented with the first few characters of the flag. Unfortunately I didn’t realize there was a hidden field being sent to determine the output size of the icon, so I wasted a lot of time coming up with this solution.

Solution

I uploaded the read_file.mvg file a total of 5 times, modifying the image over line each time in order to shift what I was able to view and move along the string. In order to do this, I had to set the first value (immediately after ‘over’) to -64, -128, -192, -256, and -320. This allowed me to read each section of the flag inside the tiny 64x48 viewport, instead of just modifying the hidden field to produce a bigger image.

Flag

BSidesPDX{alw4ys_ch3ck_f0r_1day_b4_y0u_l00k_f0r_0day}