CTFtime.org

products manager

by aaditya_purani / UTC

Rating:

Products Manager

100 Points - 431 Solves

Come play with our products manager application!

http://challenges.fbctf.com:8087

Solution:

I downloaded the source code, and took a look into an interesting function validate_secret in add.php.

function validate_secret($secret) {
  if (strlen($secret) < 10) {
    return false;
  }
  $has_lowercase = false;
  $has_uppercase = false;
  $has_number = false;
  foreach (str_split($secret) as $ch) {
    if (ctype_lower($ch)) {
      $has_lowercase = true;
    } else if (ctype_upper($ch)) {
      $has_uppercase = true;
    } else if (is_numeric($ch)) {
      $has_number = true;
    }
  }
  return $has_lowercase && $has_uppercase && $has_number;
}

The secret shall be more than 10 bytes, and must have lowercase, uppercase and a number. Apart from that, there are multiple SQL queries - But they are santized properly by using prepared statements. A usual query looks like this

  check_errors($statement);
  $statement->bind_param("s", $name);
  check_errors($statement->execute());
  $res = $statement->get_result();

Although, prepared statements are known to be exploited if a variable name is passed directly into the query rather than ?. There are instances of previous CTFs with such vulnerability type before. But it was not the case here.

Looking more into other files, there is a comment section which lets us know what to read

/*
INSERT INTO products VALUES('facebook', sha256(....), 'FLAG_HERE');
INSERT INTO products VALUES('messenger', sha256(....), ....);
INSERT INTO products VALUES('instagram', sha256(....), ....);
INSERT INTO products VALUES('whatsapp', sha256(....), ....);
INSERT INTO products VALUES('oculus-rift', sha256(....), ....);
*/

The vulnerability here in the duplication validation. Hence, the idea is to pass facebook with some spaces appended to it such as resulting in a truncation attack. I have done a research on such attacks around 2014 which you can find in my blogpost as well for more depth into the subject.

facebook and we choose secret for instance knapKNAP1234 which satisfies the validate_secret check and description which whatever you may want to put and finally we can hover to /view.php and put the facebook and the secret we choose before and we get

Flag: fb{4774ck1n9_5q1_w17h0u7_1nj3c710n_15_4m421n9_:)}
Original writeup (https://github.com/utcoalition/Public-CTF-Writeups/tree/master/fbctf-2019/productsmanager).

Comments