Before all, I’ve to mentionned that was the most intersting challenge and so far my favorite in web category that I’ve ever done in CTF :). I learn a lot
Congrats to Br1ght-D4rk for this awesome task!
So here we go!
In order to got the flag that was located directly on the server in /home, there are two steps to complete.
when we open DarksTasks chall and we see this
Let’s now use curl and see if we get something intersting even in the headers or in the source code.
Hummm… we can see a comment in the source code, that looks like base64 encoding.
If we decrypt it, we obtain this following message:
Let’s connect now to this location: Th3-D4rk-T4sks
At this point, it’s obvious that we’ve to bypass the login form.
Once again, I launch my python script and see if it get any success 🙂
I’ve a function loginbruteforcer in my script which tried many sql injection payloads among direct or unband sqli, blind sqli, timed based sqli, xpath, ldap, …
So i choosed one of the valid payloads and logged into the app to see what it looks like.
I noticed that the id of each task are base64 encoded.
So i try manually to fuzz the id to see if the id parameter was not vulnerable to sqli injection.
I used ipyhton for that purpose and send the same payload i used to log into the app.
Well, it works! 🙂
Let’s provide the url and the working payload to my script and hence dump the mysql creds.
Once I got the dark’s hash password, I googled quickly and found the corresponding hash for E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 is123123
We can now log into the Adminer panel.
NOTA: The to Adminer panel was found by looking at the robots.txt file.
For this second part of the challenge, the goal is to write into the mysql plugin directory, which is located on a unix server at /usr/lib/mysql/plugin/, thelib_mysqludf_sys shared module.
lib_mysqludf_sys is a User Defined Function library that aims to interact with the operating system via the execution environment in which MySQL runs.
In one words, we will be able to execute system commands using the sql shell.
So I compiled lib_mysqludf_sys. You can have a look at command-execution-with-mysql-udf if you want to do the same.
Then in my ipyhton term
After that, I executed these sql commands:
select unhex('THE_HEX_ENCODED_VAL_OF_UDF') into dumpfile '/usr/lib/mysql/plugin/saxx.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'saxx.so';
Now that I have my UDF uploaded, i can execute sys commands via the sqli injection.
Here is the final paylaod:
select sys_eval('cat /home/Th3_D@rk_S3cr3t/FL@g_Bala7.txt')
Flag : Th3_Gr3@t_7aMaDa
I hope that you’ve learn some stuffs like me! 😉
Once again, Congrats to Br1ght-D4rk for this incredible task! It was very fun and very instructive!
Enjoyed folks 🙂