Try   HackMD

DamCTF Web Challenge

Name: Hacker Camp

tags: CTF DamCTF web hacker camp

Challenge

Solution

By following the provided link https://hacker-camp.chals.damctf.xyz/we are presented with a login page

So we have a PHP application requesting for a username and password. We did some directory brute forcing with gobuster but didn't get much result, so we proceeded to bypass the login page using SQLi. Providing ' or 1=1# as the username (any SQLi login bypass payload will work, you can find some here) and any password, we are logged in as the user rhonda.daniels

Then we have a list of students, looks like rhonda.daniels is a staff

Going back to the challenge description, we notice that we cannot find our target student Natasha Drew on the list of students and also we do not have a way of updating grades, so we keep digging. Looking through the source page we discover the following:

there is a base64 encoding on each student record which translates to the the format lastname_firstname and also a script that shows the admin status of the user, turns out our user is not an admin after all.

The next line of action would be to make our user an admin or find a way to perform admin operations. Looking further at the source, we found a JS file at /assets/js/app.min.js with the following code:

(function(s, objectName) {
    setupLinks = function() {
        if (s.admin) {
            var sl = document.getElementsByClassName("student-link");
            for (i = 0; i < sl.length; i++) {
                let name = sl[i].innerHTML;
                sl[i].style.cursor = 'pointer';
                sl[i].addEventListener("click", function() {
                    window.location = '/update-' + objectName + '/' + this.dataset.id;
                });
            }
        }
    }
    ;
    updateForm = function() {
        var submitButton = document.getElementsByClassName("update-record");
        if (submitButton.length === 1) {
            submitButton[0].addEventListener("click", function() {
                var english = document.getElementById("english");
                english = english.options[english.selectedIndex].value;
                var science = document.getElementById("science");
                science = science.options[science.selectedIndex].value;
                var maths = document.getElementById("maths");
                maths = maths.options[maths.selectedIndex].value;
                var grades = new Set(["A", "B", "C", "D", "E", "F"]);
                if (grades.has(english) && grades.has(science) && grades.has(maths)) {
                    document.getElementById('student-form').submit();
                } else {
                    alert('Grades should only be between A - F');
                }
            });
        }
    }
    ;
    setupLinks();
    updateForm();
}
)(staff, 'student');

Following the code, after it checks if the user is an admin it obtains the student record with the "student-link" class and then extract the id which is the base64 encoding of the format lastname_firstname we saw earlier and the location is at '/update-' + objectname + '/' + this.dataset.id. We can obtain the id for each student, then the objectname is 'student' by looking that the app.min.js, it's now time to see if we can update a student's record. By picking the first student on the table Brett, Nancie with id TmFuY2llX0JyZXR0 which when decoded translates to Nancie_Brett, we can construct our url to be https://hacker-camp.chals.damctf.xyz/update-student/TmFuY2llX0JyZXR0

Nice. So we know to update we just need the id of the target student. Our student is Natasha Drew so let's make a base64 encoding using the format lastname_firstname, that is Drew_Natasha and try to update her record, https://hacker-camp.chals.damctf.xyz/update-student/RHJld19OYXRhc2hh

But then we get a student record invalid. Okay let's change the format and use the base64 encoding of Natasha_Drew, https://hacker-camp.chals.damctf.xyz/update-student/TmF0YXNoYV9EcmV3

Now we have her records (poor grades, explains why she couldn't attend Hacker Camp xD). Let's upgrade her records to all A's.

And we have the flag

Flag

dam{n0w_w3_c4n_h4ck_th3_pl4n3t}

Last changed by 
rudefish
I'm into cyber security and all its madness, whenever I participate in CTFs the write ups goes here
0
1
282

Read more

Symfonos: 2 - Walkthrough

Machine Details Name: Symfonos 2 OS: Linux Platform: Vulnhub Download Link: Symfonos 2 Getting started I booted up the machine and got assigned an IP addres of 192.168.50.130. Similar to symfonos1, I added symfonos2.local to my hosts file. 192.168.50.130 symfonos2.local

Mar 11, 2022
Symfonos: 3 - Walkthrough

Machine Details Name: Symfonos: 3 OS: Linux Platform: Vulnhub Download Link: Symfonos 3 Getting started After obtaining an IP address for the machine, 192.168.50.137 in my case. I addeed it to mu hosts file. 192.168.50.137 symfonos3.local

Mar 8, 2022
Symfonos: 1 - Walkthrough

Machine Details Name: Symfonos 1 OS: Linux Platform: Vulnhub Machine Link: Download Symfonos 1 Obtaining the assigned machine IP address After setting up the machine on VMWare, the first step is to find the IP address assigned to the machine. To do this, we can use several methods. The two I use often is shown below: sudo netdiscover -r 192.168.50.0/24

Mar 8, 2022
HTB Writeup - Search

Machine Details Name: Search OS: Windows IP address: 10.10.11.129 Difficulty: Hard Points: 40 Initial Enumeration As always, I started with an nmap scan to find out what services are running on the box.

Feb 17, 2022
Read more from rudefish
Published on HackMD