CYBER WARGAMES 2023 Web Challenges Writeup

6 min readAug 6, 2023

This is a writeup for 4 challenges out of 7 (the qualification round).

Even though we solved the N1 challenge, i will not write about it because my teammate who solved it.

Iniectio

The description of the challenge was in latin and it was talking about some injection stuff. so let’s see what we can inject.

when you open the challenge link, it takes you to “xchal.php” page with only a background image and nothing else, no “robots.txt” or “sitemap” or any other endpoints. here you need to start thinking of fuzzing some routes or parameters (not bruteforcing, just the common ones).

i found the parameter “name” and it prints “Hello {the value of the parameter}”. After trying “5*5”:

Here i tried double quotes followed by multiple-line comment and i got this error:

so i used the following payload to handle the eval and execute my code:

";print_r(5*5); //

it worked and printed out: “Hello 25”.

Note: “echo” didn’t work because it was filtered.

After executing “ls” linux command with:

";print_r(`ls`); //

i found “flag.php” and also found “xchal.php~” file… and it’s a copy of “xchal.php”, it’s like a backup file when you editing it. After opening it:

so to read the flag.php file without using tail, head or cat… i used:

";print_r(`nl flag.php`); //

later on “print_r” was added to “$dangerousFunctions”, so you can use “var_dump ” instead.

Blind

Challenge Description: We all have five senses, but in the hacking world, you should have more than five, so feel what is around you and try to be a director.

after i registered with a username, email and password and then logged in:

You can see that there is a profile page to update the username if you entered the correct email and it does really exists.

so after sending an empty username and using the same email that i used before… i got the following error:

so basically you can see that there is another SQL query in the dashboard page that selects your username and print it and also there is a code that checks whether you are admin or not.

After intercepting the request and injecting the username:

nonexistingusername' OR role='admin' #

I tried to guess columns names like “isadmin”, “admin” and “id”… etc, and i found “isadmin” is a correct field also as the “id”. At this moment the challenge code got updated: the spaces and some keywords got filtered!

After handling the filtration problem and trying to select a username with: “isadmin” is “true” or “id” is equal to “1” hoping that the very first user is an admin or anyone is… i got the flag!

randomusername'OorR`isadmin`=1;#

randomusername'OorR`id`=1;#

After reading the flag message “mass assignment” and talking with the author of the challenge about my solution he told me this was unintended one. So after reading more about this vulnerability it turned out that if you passed “admin=admin” along with the username and the email parameters… it will work and you will get your flag!

Read more about mass assignment at: OWASP Mass Assignment Cheat Sheet

Father’s Light

Challenge Description: Enter the enigmatic realm of “Father of Light” Unleash your skills, explore hidden paths, and uncover the depths of mysterious creations. Will you emerge as the champion? Dare to unravel the enigma.

Here i tried SQL injection but it didn’t work, and after some tests with some default credentials… i was able to login with username: admin and password: password.

i got redirected to “/user” endpoint, and nothing was important there, then i tried to fuzz some URLs and i found “/admin” and “/dashboard” endpoints, but i was redirecting back to the login page, that’s because i was logged in as a user not an admin.

so i tried to take the JWT token from the session and investigated the app headers… it was runinng with flask pyhon.

After some searching i found some tools that can crack flask JWT tokens, so i tried to crack it with rockyou wordlist to get the secret password.

python bruteforce.py "JWT TOKEN" ~/Desktop/wordlist.txt

We got our secret!!. Now we can decode the JWT token and edit the values then re-encode it again and be logged in as an admin.

python flask_session_cookie_manager3.py decode -c "JWT TOKEN" -s "secret"

python flask_session_cookie_manager3.py encode -t "EDITED COOKIE VALUE" -s "secret"

After changing the JWT with the edited one, i was able to see the “/dashboard” endpoint, and it was a “posting page”. After trying to post something… it printed out the username and the content of the post.

so i tried SSTI vulnerability using “{{5*5}}” and it wroked:

and after using the following payload i got the flag:

{{config.get('flag')}}

SadQL

All you have in this challenge is this login page nothing else. After trying some injections and default credentials nothing worked…

the submitted payload request when you try to login is:

email=admin&password=admin&submit=Login

So… after sending the email as an array “email[]=admin”:

I got a valuable information, the app uses the “addslashes ” function.

After doing some researches, you will find out that we can bypass the “addslashes” with “%bf” and “%af”. So to escape the single quote our payload will be: “%bf%5C%27”.

after adding to it: “or (1=1) #” i got SQL syntax error: