UAE National Cyber Security CTF 2018 – Writeup

Hello CTFs Players,
I’m GeneralEG from N3WB135_T34M

Today i will explain how to solve the web challenges of CyberTalents UAE Final Round 2018.

Well!
let’s start…

# The First Challenge
# Easy Message (50pts)

in index.php
you will find a login page
so let’s go to robots.txt
and Ooh $hit :

User-agent: *
Disallow: /?source

then let’s go to /?source

Woooot!! 😀 Amazing!

if ($user == base64_decode(‘Q3liZXItVGFsZW50’) && $pass == base64_decode(‘Q3liZXItVGFsZW50’)

Let’s decode base64.. tool:
https://codebeautify.org/base64-decode

… Done!
username and password=Cyber-Talent

Logged in!
let’s see what is going on!

I Have a Message For You

..-. .-.. .- –. -.–. .. -….- -.- -. —– .– -….- -.– —– ..- -….- .- .-. …– -….- — —– .-. … …– -.–.-

Cool it’s DOT DOT HASH “Morse”
let’s decode it! tool:
https://morsecode.scphillips.com/translator.html

Nice!

FLAG<KN>I-KN0W-Y0U-AR3-M0RS3)

Link:
http://ec2-35-164-4-176.us-west-2.compute.amazonaws.com/easymessage/

 

# The Second Challenge :
# Big Number (100pts)

Well,
what we have here!
it’s a login page needs a password.
let’s click in source to get the source!

Good!!

if (isset($_GET[‘password’])) {
if (is_numeric($_GET[‘password’])){
if (strlen($_GET[‘password’]) < 4){
if ($_GET[‘password’] > 999)
die($flag);

so we need a number
less than 4 digits
greater than 999
WTF! it’s Weird Math LOL!
But wait!!!
we know that PHP also understand hexadecimal 😀

so let’s convert decimal to hexadecimal
tool:
https://www.binaryhexconverter.com/decimal-to-hex-converter
results:
1000 = 3E8
Cool! it’s less than 4 digits and greater than 999 😀

Let’s login with our new password and Done!

FLAG{Yes_Y0u_C4n_Use_Exp0nentiaL}

Link:
http://ec2-35-164-4-176.us-west-2.compute.amazonaws.com/bignumber/

# The Third Challenge :
# Owls Blog (100pts)

Well,
We have a weird blog here!
with error:
Undefined index: search in /var/www/html/owls/index.php on line 12

cool we got the name of our page and our parameter!
index.php?search=

Let’s check the robots.txt

Cool!
User-agent: *
Disallow: git.phps

Let’s download this file and open it!

$search = $POST[‘search’];
if (!preg_match(‘/^-?[0-9a-z]+$/m’, $POST[“search”])) {

Interesting filter! with preg_match 😀

so let’s ask for help in Google ❤️
Gotcha!!! this function is vulnerable :”D

we can bypass it with \n let’s encode it
%0a
We are ready now to pwn it!

The Final Payload:
A%0a%27 UNION SELECT flag FROM flag #

Ooh Yeah! Done.

Flag{R3G3X_Ar3_NOT_GOOD_For_OW3ls}

Link:
view-source:ec2-35-164-4-176.us-west-2.compute.amazonaws.com/owls/

Best,
Youssef