RSS
 

Hackvent 2019: Day 17


17 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 17 December 2019

Challenge

HV19.17 Unicode Portal

Solution

We visit the unicode portal and are presented with a very cool website:

We have to login before we can view the symbols, source or admin page. We register an account (only username and password is needed). Upon logging in we see a symbols page, a source page and an admin page. Upon accessing the admin page we are told You need to be an admin in order to access this area!. The source page is very unique and shows us the source code of the  user.php page.

The source code is:

From the source code we can exploit the register functionality! We decide to work backwards from the isAdmin function.

The === comparison is very strong and thus won’t be broken. The verifyCreds function sanitises input and simply selects a password from the database matching the username.
Therefore in the end we know we must login with the santa username but we do not know its password.

However, in the registerUser method we see that  ON DUPLICATE KEY the password is updated! Great. However, the isUsernameAvailable check is called before this to stop us from just registering the username santa again and updating the password.

The key to this exploit is the usage of the LOWER and UPPER methods. We need to find some username input where LOWER("SANTA") = BINARY LOWER(username) and  UPPER(username) = "SANTA".
We write a quick SQL query to test some inputs:

We run the following javascript in our browser to do some quick checks to see if any character to map to a letter in santa when transformed to upper case. We luckily start with the letter S:

We get the following output:

Interestingly, the lowercase ſ character (U+017F : LATIN SMALL LETTER LONG S) is mapped to converted to an uppercase S (U+0053 : LATIN CAPITAL LETTER S).
Protip: Use this useful website to check unicode input easily.

Therefore, we try the input ſanta with out local query and the test passed! It bypasses the  isUsernameAvailable check and then in the  registerUser method it triggers a  ON DUPLICATE KEY on UPPER("ſanta") which equals SANTA. Thus, we have overridden the password for the santa user. Finally, we login using santa as the username and the pass we used before and are authenticated!

We visit the admin page and get our daily flag:

Flag:  HV19{h4v1ng_fun_w1th_un1c0d3}

 
1 Comment

Posted in Hackvent 2019

 

Leave a Reply