SQLite Blind SQL Injection - HackTheBox Cyber Apocalypse CTF

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everybody welcome back to another youtube video we're still looking at the hack the box cyber apocalypse ctf i won't bore you with the details let's go ahead and get right to it here so i am opened up on the interface with a little cyber apocalypse and jh party let's take a look at that emoji voting challenge so emoji voting looks like the challenge info here it says a place to vote your favorite and least favorite puny human emojis uh looks like it can be started on demand and does have a downloadable part so let's go ahead and get the instant started and once that spun up we'll go ahead and grab that url open that up in a new tab so we can go ahead and poke at it give it just a moment and uh let's see if it comes to life here not seeing that one okay now that that has finally come to life we can go ahead and download the little parts here and i've got that downloaded so let's go ahead and make a directory for emoji voting hop over there and let's move that downloaded file from webemojivoting.zip over here and let's go ahead and unzip that so now we should have all the files and before we dive into these actually let's let's just take a quick gander at the docker file to see where that flag might be stored um not included as a file in the docker file here let's check out the challenge files we have a a database maybe yeah oh there we go okay so we are working node looks like we're looking in some javascript files so and web interface kind of defined out in javascript with node.js running server side we have a flag randomness table okay so that's something we should take note of and okay there will be our flag but there they have a placeholder so we'll have to potentially get that somehow um oh okay here's some functionality looks like we can vote with queries to the database where we are updating the number of votes on an emoji okay great and that uses a parameterized kind of argument or parameter there so that we can't actually really take advantage of our abuse this next function get emojis has a tude i'm assuming that's meant to be to do but i like tude a little bit better i think we should i i want to start using that from now on for comments on to do dude let's check what this is doing it doesn't have parameterization seemingly yep looks like it's just using the variable that would be passed in so that potentially has some sql injection here but the query that it's using is from a select all from emojis order by clause now that actually throws a wrench in the works because typically just dumping stuff from the database would be very easy to do when you use explicit sql injection uh in which case you can use maybe a union select to add more to the query and display something else with the results you may have expected originally order by might change the game for us a little bit because we can't do any of those quick and easy uh or one equals one or union select things and add in other things we we might have to change this to some blind sql injection technique rather than an explicit outright uh and direct sql injection technique so good to see those functions here now let's kind of play with the website so looks like i can vote and on an emoji uh human looks like a the poop icon okay i can click on that and i can see the vote number going up here i'm just going to open up my network tab and kind of view the tools with with developer tools i hit f12 on my keyboard so if i click on that human one i can see these results or these requests coming through looks like i am submitting a post request to slash api vote with the request headers oh and that request payload for the id so putting that together if we get emojis is that something that's going to end up happening our vote is this function that we can control with just the id by clicking things how does this oh there are other calls that are happening here list is just like popping up it's adding another request oh like every couple seconds there's a now there's a 16th request looks like oh that is using the order that list functionality looks like that maps to this get emojis and since this is kind of a little white box thing we could examine some of the other files here let's see what index.js is doing looks like this starts it up but what is calling that kind of votes function the emoji voting db is that something that's no are the these aren't going to be in routes are they going to be in views let's check out what that index up page does it loads in some other javascript maybe this javascript calls it that's out of static so let's hop back to check out that static directory javascript main.js okay yeah this has this ad emojis functionality to get stuff from the database and display it out on the page but get emojis looks like a function that will reach out and fetch from with a little post request to this endpoint on the api okay good to know what kind of sql are we working with the oh this is sqlite i'm going back to the database.js so you can see we're using sqlite so we need some sqlite syntax all against this potentially vulnerable list call so let's get started with maybe beating this thing up i'm going to go ahead and create a little python script where i can import requests because i know i'm going to be doing some web stuff so i can request out pages i will go ahead and post to the url for this actually we can define that as url and then we'll go to that api list right yes that is what this calls let's store that as a variable so we can go ahead and print out what that returns i'll use that print.text here i'm just going to go ahead and try this see what happens obviously we aren't passing anything to it so it just tells me hey missing parameters good enough so let's add in some data or parameters that we could supply i'm using sublime sub black or python black linter right now so when i save some of my some of my characters might fly around forgive me on that but we know that we need the order to be what are they they use count as a field in the database here yeah count will be the integer of how many votes this has so using that okay now it displays it all with that response but we need to do some injection here so because we're in order by we can't sanely use like an or one equals one that that logic just kind of doesn't make sense i'm gonna use the comments here uh the dash dash or the hyphen hyphen to note a sql like comment but yeah that sql kind of just won't behave for us can we have like some nested queries i'll add this d-e-s-c in here and we will order by i guess a string selecting out count so this kind of becomes evaluated to count dsc for descending that looks like it works if i order that in a different way does that behave what other things can we order by or other fields in here name i suppose did that order properly i'm not positive if i pipe that to jq does it display it out kind of but the count's a little wonky but that's the same kind of response we had previously isn't it let's order by id maybe that looks like the same kind of structure how about name same kind of structure emoji not all that helpful okay how about ascending again no change did these quotes get in the way oh that looked better now name is ascending it's a different order here what if i did count descending so we have kind of the original good good good good this count looks much better because the count is going down in the results as i scroll up but we could totally change that to id and now it's in that reverse order of ids okay so we can use this nested thing that was a little bit of troubleshooting determined can i use some parentheses to note something else in here um since we're using sql light and if we're going to get into some like blind injection techniques we might have to do some boolean stuff like figure things out if something is something else so i want to google like a sequel light if statement sort of thing um i think case is the syntax for that case evaluates expressions and a list of conditions it returns based on the result of the evaluation case expression is similar to if then else in other languages so case something when is when always necessary how's this look give me an example so return out count maybe when a condition is met um let's experiment with that so the syntax would be case count when one equals two maybe like some logic that we know will fail then we want result one else something else count is already kind of the singular thing that i'm checking though that's that's weird to me id how about that so on a false condition id should be what we descend something went wrong what's going on case of the case expression hmm maybe that needs to be like what it's evaluating out to so case one equals two when that's true like one being the evaluated true there then count is going to be what we descend by otherwise id how about that no does that need to be here's some some stack overflow goodness let's see what we're doing select all case when oh they don't even use like another condition in there so when one that should always return true right no when one equals one something went wrong what's the issue there troubleshooting troubleshooting troubleshooting that's what we do that syntax is way broken case when something equals some condition then this end oh does it need an end at the end oh my gosh oh goodness was that the problem all along oh totally okay so oh my goodness i'm super sorry i should learn to read so when one equals one then descend by id if we were to use uh a false condition this else will evaluate right so now we're descending by count okay so we have some logic that we can determine here now we kind of want to determine if we can leak things out using this back and forth threshold of some true statement versus some false statement so case when and let's try and grab some value well let's do like a select one that should still return ordered by id yeah how can we kind of test on this how can we kind of uh i guess return whatever comes following this can we select like a one no hmm that order by still gonna just make it annoying that's just going to be weird i guess we'll i guess we'll use count and id as our threshold something to verify we still have the logic in place so id will be descending so we can just check if the first element's id is 12 if it's not then we know that we're in something else so now we need to try and determine some specific thing as part of something that might be in the database uh because we're in sql lite i'm gonna go check out my own notes in my miscellaneous repository because i have kind of a little cheat sheet sql injection syntax cheat sheet to leak out stuff but we do know already a little bit of the structure because we have this database here so we know there's a flag random table but we first need to know the full name of that flag table so let's close out of these and then let's try and get maybe one column from a table but we need to leak table names in sql lite we can group concat name from sqlite table that will this work for me now that syntax will have all the tables displayed out but we can only kind of verify one character at a time can i sub string or something in sqlite looks like it substring takes a string and a start and a length so let's do substring on everything that might come from this i think uh and then one and one so start position can be one index can be one uh and we want to check if this is a like the letter f maybe for flag which table will come first i guess emojis would come first and then flag like alphabetically wouldn't it so let's turn word wrap on maybe e so let's check if we get count oh no we broke something what's the issue we select from the sub string with this whole thing as a string and oh this select statement needs to be wrapped right because this is our yes i'm trying to understand my parentheses this nested portion is the string that we pass into substring this is the substring call and this is the select statement and we're checking if that value that's returned is equal to e nope still failing hmm do i need that there let's use the single quotes again just to try it can i get a single character maybe like uh sqlite c-h-a-r no no i just want a character string composed of values in the ascii table so chr of what would e be i think i need to use ord for that in python 101 how about that select all of the names from the sqlite master where the type is equal to table and that string that's returned will still die feel like i'm getting mixed up in some parentheses here case when select a substring of group concat is table and those arguments get passed check if that when is equal to 101 that all seems fine maybe we don't need to concatenate things oh how about that when no oh okay so now we're by id so that had failed can we specify like f in that case yeah that went by count now perfect that's much better let's um try to use the select maybe and let's specify that we want the name to be like the flag table oh how about that that's good now if i had the wrong letter for the start now we're decreasing by id cool okay so that's a that's a a decent proof of concept for our boolean logic finally now since we're just getting the name and checking it we can determine maybe a the position and kind of leak out the full name so let's try a while loop let's get a list of leaked data i'm gonna define that as a list here uh and let's import string i suppose because we want to be able to loop through like every single kind of character so let's do four character in string dot printable um let's just do a proof of concept let's get this i'll take this here and we want to get the position that we'll search at we want the position to be the length of the leak data so far so when we were checking the first index the first position it would have been empty so that i think should be plus one our position needs to have a little offset there so let's add an f-string portion so that our position can be filled in smartly based off the amount of leak data that we have um and this character that we're trying should be the value of the character that we're looking at character right let's um get the json data from that i suppose yeah and then let's print j zero to get the first item and just verify that this will kind of work for us maybe we don't need to pass that to jq anymore okay so once we get to ideally a different letter we should see a different response on one of these so this is looks like the seemingly the first character that we would have leaked after that flag underscore prefix so eight i'm assuming so that will tell us that okay this is a true statement and everything else will be false so we can check if this first index is equal to that response and if it is if that's a true response then we will do leak data dot append that character that we're on and then we'll stop this loop of those characters right so leak data will now have a new position or new length so that the position will be properly set and the character can iterate more so uh so while we're doing this i suppose let's print out um an f string trying character uh let's actually try to join together our leaked data with the character being added on to it i have nested double quotes inside it so that probably wouldn't behave so when we find 8 then we get a 2 following it then we get an e and an f okay i think this is carving it out for us amazing we did it now how far will this go because we're looping forever we might not i mean we're not going to end right but because we've passed seemingly the hex values and we're going to end up looping through the entire yeah now we just died because we actually ended up sending an ampersand and didn't like it so now we know our full flag table yeah so i'm going to say flag or i guess like table name can be that string so now we need to select out a flag value we know that we are going to be selecting the flag entry in the flag table so we can change this we can do flag as our substring from table name as we've just determined and we don't need to use a where clause anymore or that and because that's the specific one that we want to look at so let's try that this might go for a while but we can assume that a capital c is what we would like yeah perfect okay uh chtb is kind of what we should end up getting perfect i am going to add that start of that flag format in there and let's remove that print character here um so at that point we can just let it go and let it try and leak out the flag right nice all right it's going took a little bit of troubleshooting but i think we got it everything set up i will uh pause this recording and now let us wait for this to leak everything out ooh i got an error because of that ampersand in here which i'm assuming might be doing some weirdness so uh let's actually change up this loop printable or that that pool of characters let's do um string dot printable dot replace that ampersand with nothing there we go so that way we can remove that and everything that we had found thus far i want to add into our leaked data so we know that we can uh start where we where we left off i think that'd be much better let's see if we get anything from that i think we got to cruise through the whole alphabet but we'll see how we do oh i'm stupid i forgot to use this rather than the string printable one let's try that again okay it also doesn't like percent signs which is i suppose understandable let's nerf that out just as well like we're kind of finding our own bad characters here nothing wrong with that we know that we still have the proof of concept so we'll just let it go also doesn't like dollar signs part of me wonders how many of these will we'll go ahead and run into if it's anything like any normal flag it might just have underscores in here separated by kind of words i think that has been their their flag format structure so yeah we're going to keep running into that issue so let's change this up let's use um string let's actually add in opening and curly braces and underscores actually we should test for those at the end so let's use string dot ascii case and string dot ascii uppercase okay so we need those and let's add in the ending curly brace portion there now let's see how we do oh underscore right that makes complete sense order me nice order me this i'll wait for this to go all right it has leaked out order me this juicy info um didn't get the underscore and didn't get anything past lowercase letters looks like it did find that ending curly brace so i'm thinking that's where we're at i i think our final flag is going to be chtb order me this juicy info and of course it'll keep trying stuff because of the while loop that we're in that well true but that looks like our flag ladies and gentlemen let's uh let's go try and submit this guy and there we go all right we did it that challenge is over that was a blind sql injection with an order by clause that kind of got in the way so we wouldn't be able to use stuff like a union select like and or or or other kind of comparison things we kind of needed to use a nested query using these parentheses to add another logic thing that we pull down or select some data and because we have a little bit of know-how as to what a sqlite database might look like and because we have this specific whitebox description here of the schema of the database that will allow us to uh kind of know better what we're looking for to find that flag table and then to get the actual flag value out of that table so we did it that's it it took some python scripting it took a little bit of troubleshooting took messing around took me getting the syntax for a case when statement right but we finally finished it up so all right hey thanks so much for watching everybody i hope that was good i hope that was a fun one i don't know i think i've showcased a couple videos with sql injection like this or blind and boolean based sort of injection where you just kind of toggle back and forth but i think this was nice because the order by clause specifically i don't think we've seen before but you can still kind of use the same technique where you just logically search for something in a nested operation that's it that's the end of the video and that's all i might be able to showcase and cover for this one but thank you so so much for watching everybody i hope you enjoyed this video hey if you like these hack the box videos for the ctf let me know hopefully i can get a few more record and put out but i've been having a good time with this and i hope you have just as well thanks again to hack the box for letting me do some of these but we'll keep it cruising we'll keep them going i'll record something else real soon thanks again everybody please do those youtube algorithm things would love if you could like the video leave a comment love if you could subscribe thank you thank you thank you let's tune out of this thing bye everybody i love you i'll see in the next video [Music] with you
Info
Channel: John Hammond
Views: 69,195
Rating: undefined out of 5
Keywords:
Id: WmCioU9F2_8
Channel Id: undefined
Length: 35min 25sec (2125 seconds)
Published: Mon May 10 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.