SIGSEGV1 Writeup - MD Auth
Let’s talk about the “MD Auth” challenge, I admit I started with this challenge thinking it would be about “Markdown”. I was wrong but it was nonetheless interesting to solve.
The source code of the index was available by requesting : http://finale-docker.rtfm.re:4444/?source
At first I tried to access the database with my browser by requesting finale-docker.rtfm.re:4444/mdauth.db, unfortunately that didn’t work. Let’s dig deeper into the source code. We want to authenticate on the Web Application, maybe we can do an SQL injection inside the following query.
In order to exploit this, we need to bypass the
escapeString function used for
md5 function is called with the second argument set to
true, meaning we will get a binary output instead of a hexadecimal one. We might be able to get a backslash in the binary output, but we need to know the
APP_SALT value in order to do our offline bruteforce. The author of the challenge was kind enough to provide a way to get this secret by misusing the
We can do a single failed attempt in order to get a cookie containing the md5(SALT+”1”), based on the comment in the code we know the SALT is between 0000000-9999999 (7-digit APP_SALT).
MD5:4322dfb1e9b20645594e9f3f6998845a which correspond to the following
PLAIN:86203711. We now have our APP_SALT value : 8620371. The following script will bruteforce the first 1000 numbers looking for a quote in the last char of the MD5 output.
In my first attempt, I was looking for a backslash “" in order to escape the single quote “’” from the query and use the login to complete the SQL injection.
It would have worked in a MySQL database, unfortunately we were in front of a SQLite one. The documentation and stackoverflow provided the useful information, escaping is done by doubling the quote.
I adjusted the script to check for a single quote and got the number
Now it’s just a simple SQL injection, by using the following credential i was able to extract interesting data.
I got the following users :
flaggy. Next step was to extract the flag from the database, it was located in the flag_field of the users.