PlaidCTF 2013 Writeup

PlaidCTF 2013 was a capture the flag tournament put on by the Plaid Parliament of Pwning and sponsored by ENDGAME. Unfortunately, I was unable to commit 100% to the CTF due to being under the weather and having family in town, but I figured I’d share what I solved. Most of the challenges were reverse engineering and forensics (not my strongest points), but it was fun nonetheless.

charsheet (Web - 150)

Problem: My friend is in my D&D campaign - could you get me his character name? He administrates this site. Or here (faster).

On the site, there is a RPG Web Profiler app that catalouges RPG characters and their campaigns. The goal is the find the user who admins the site.

That meant that I needed to find a listing of all users in the game. The problem is that users can choose whether or not to make their profile public (only about 45 at the time of completion did) so I had to find a way to either make users change their profile to public, of get a full listing of active users from the backend database.

At first, I signed into my profile and found a section where you could set your profile image from a file out on the web, so I figured why not try some CSRF? I inserted a URL that would set a user’s profile to “Public” and saved. As users would hit my profile, it would make their profile Public and anyone could access it.

profile_pic_uploader

The problem with this though was that I had to hope the admin user was live and would hit my profile. To make the likelihood of getting that admin user to give up their privacy, I changed my CSRF link to a URL that would transfer ownership of the account to me. Once I had compromised an account, I would change their profile picture to the CSRF that would make a user switch to “Public.”

captured_profiles

I quickly found that although effective, it would take a long time to complete so I started to explore other options.

I found a search field and tried a basic ” ’ Or 1=1-” on it and it threw an error! Woohoo!

sql_error

So now I knew that there was a vulnerable MySQL server running in the background. I tried my luck with a raw connection to the database, but no dice so I fired up sqlmap and got to work.

I pointed it at the site with the following string:

./sqlmap.py -u "http://54.234.77.50/search.php?type=contains&cname=1"

and compromised the database with the string:

type=contains&cname=1') UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,105,116,113,58),CHAR(79,71,65,69,80,88,106,99,66,67),CHAR(58,102,118,121,58)), NULL, NULL# AND ('kCbZ'='kCbZ
---

sql_compromise

So now all I had to do was run through the database, find the table I wanted and then dump it. Long story short, this was the syntax to do just that:

/sqlmap.py -u "http://54.234.77.50/search.php?type=contains&cname=1" -D "charsheet" -T "characters" --dump

This dumped a CSV file to the output folder and had three columns with names that could possibly be flags: cname, edited_by, and owner.

csv_of_users

I combined all of these columns into a file and then left only the unique ones in it with this command:

sort characters.txt | uniq -u

Finally, I pumped this list of about 120 entries to Burp Suite’s intruder, set it up to submit to the proper location, and started it. Within about 2 minutes the challenge was complete.

correct_flag_charsheet

Answer: r3al50ftwar3ftw

Unnnnlucky (Misc - 20)

Problem: Where does The Plague hide his money?

This is a reference to the movie Hackers (1995). Unfortunately, the only way to know the answer to this is to have watched the movie.

Answer: 03087-08351-27H