Hacker101 Ctf Solutions

[Paz Warsager]

Ifeel I am really close on a few of the challenges, but being new to the scene, it would be great to have a place to refer to instead of continually banging my head against the wall. I would then be able to re-trace the steps it took to get to those solutions, or see if I was off by a simple encoded character or something.

@absoThe I am also working on the hacker101 ctf, and I am getting suck too. Have you started working on the hints and solution yet? If so could you post a link to them. I am getting stuck on the easy ones, and I am not sure what I am missing. What resources are you using to learn? Thanks!

@absoThe getting an invite to that channel would be great. I read through both those books, and I only found half as many flags. I tend to over complicate it, and I have been stuck on the easy levels for a while now. I tried some of the moderate levels, but have not found one there yet. I have been doing the same thing, I write down how I found them all, plus what I have tried, and any interesting finds that might lead some where. Thanks!

A technical writeup of the hacker101 ctf (photo gallery), if you are trying to do it on your own please do not read this article. I got permission to do this writeup, and I'm glad I can finally share it.

The application is vulnerable to multiple SQL injections, which range from information disclosure to remote code execution. This challenge is from the hacker101 CTF and it is labeled as moderate.

This challenge is my favorite in the hacker101 ctf, because it took me around 3 weeks to figure everything out, including a ruby script to obtain one of the flags. The only tools used for this challenge were the browser and ruby.

The html source code shows that the images are being loaded by using a route that looks like /fetch?id=1 The id paramer will pass an integer as a query parameter, which is then used to look up the correct filename for the images. Something to note is that the last image in the application is broken, just remeber that for now.

Then by looking at the app, in order to grab the images from the server the following is used fetch?id=1

This is an indication that we should test for a SQLi, by using the hints we can see that this will require a UNION.

Union based attack: Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). ( )

This query will return the file name and then this file name will be looked up and returned, so using a union we might be able to trick the DB into handing us some other files if we just give it a filename that is interesting - this is where that docker image comes in handy, we know there is a main.py file and we also know the file structure - so here is my payload:

Had to figure out a way to get the filename from that hidden kitty - the filename turned out the be flag. I worked on the assumption that the file name was what was triggering a 500 server error. If you try to get that image the backend sends a 500 error which gave me an oracle, the following explains the assumtions I used.

I wrote the following ruby script, it uses the httparty library to make a request to the challenge instance, the function check? creates the url by inserting the str variable into the request, we can use the LIKE SQL command to match the current str to the filename, if the filename contains the string inside the variable we should get a 500 server error, the response.code == 500 line will return true if the response code is 500 and false if it is anything else, which is what we want. The key here is knowing that the 500 error can be used to get the filename.

Assumption:

We have to update some document, and we also need to make sure we used stacked queries, and use the commit command to apply the changes, there is something weird about that subprocess call - it runs commands on the computer which is never a good thing - also the way is written I think I can end the quote and add my payload there by creating an album with a weird name.

This is my favorite challenge, I remember beating my head against a wall because I didn't know much about SQL, but little by little the exploits became more clear and I was able to get the flags. I had a lot of fun writing that ruby script which got me to Flag 1.

If you enjoyed this article or found it helpful please consider making a U.S. tax-deductible donation, Secjuice is a non-profit and volunteer-based publication powered by donations. We will use your donation to help cover our hosting costs and keep Secjuice an advertisement and sponsor free zone.

If you enjoyed this article or found it helpful please consider buying us a coffee, Secjuice is a non-profit and volunteer-based publication powered by caffeine. We will use your coffee money to help cover our Ghost Pro hosting costs and keep Secjuice an advertisement and sponsor free zone.

3a8082e126