PicoCTF (irish-name-repo-3)

INTRODUCTION

This blog post will explore a straightforward CTF challenge, focusing on the fundamentals of SQL injection to bypass the login page. We’ll delve into the logic behind the page and extract the flag.

WALKTHROUGH

The CTF is from picoCTF’s web exploitation series.

As we navigate to the challenge link, we encounter a basic webpage.

Since there’s nothing noteworthy on the homepage, let’s explore any specific page where we can engage with the website.

Within the hamburger menu, we notice an “Admin Login” page. Let’s proceed to navigate to that page.

On this page, we encounter a login form that only prompts for a password. This form is specifically for accessing the admin account. Let’s inspect the request sent from this form by intercepting it using Burp Suite.

The interception reveals that a POST request is directed to login.php, containing our password and a debug value of 0. Let’s send the request by changing the debug value to 1.

Here, we observe that when the debug value is set to 1, the SQL query running in the backend is reflected on the page. Now, we can be certain that we need to bypass or inject this SQL query with a truthy condition to bypass the login page. Let’s do this in a cooler method using curl.

Here, when we send a request with the password “amsghimire”, we can observe that in the query, the value is being changed to “nzftuvzver”. This appears to be some sort of substitution encryption that is being implemented. With simple inspection, we can see that a shift of 13 is being applied to all characters, but the numbers are being displayed as they are. Therefore, we can conclude that this is ROT13 encryption. So, let’s send an encoded payload “ ‘ or 1=1 — “ with a ROT13 shift, which becomes “ ‘ be 1=1 — “.

Finally, when this payload is sent, we successfully, login to the application bypassing the login page and we can extract the flag.

This was a simple CTF write-up where we covered a straightforward methodology to extract the flag.