Challenge - Week 14

Klarer du hacke Bjørn sitt supersikre system?

Bjørn Johansen påstår han har laget et supersikkert system, og han har ingen tro på at du klarer å få flagget ut denne gangen: https://uke-14.bouvet.dev/

Send inn riktig svar (husk at flagget du leter etter følger samme format som vanlig, BVT{}) via dette skjemaet, og kommenter en passende GIF eller en emoji i kommentarfeltet på #bouvet-informerer for å bli med i trekningen av en 🎁

Du kan finne alle tidligere løsninger her.

The solution to this challenge was a very basic SQL injection, showing that all input always need to be sanitized.

Solution

When visiting the link, we saw that whatever we passed as the id parameter, would get fetched from the database. For example if we sent abcd as the id, the website would tell us that it Fetched abcd from the database. abcd

One of the most famous payloads is ' , which also was the answer.
https://uke-14.bouvet.dev/?id=%27 singlequote

Honorable mentions

We saw a few pretty funny ideas. The best one:

/?id=iVBORw0KGgoAAAANSUhEUgAAACgAAAAeCAQAAAD01JRWAAABN0lEQVR42mNgGAWjYNiDHAYrOIkA/gzridK9g0EdXWgZAxOcJM1AS4Zehv8IA9cz9ANJIYZpUNKa4TBY3BxMQwzUZngC5DMw2DGcZ3jBsBKoDhmUMUxn+AYxUA2sWBlIxjN4QklMA2UY7jN4A9nCDO8ZbBhYgO7ZhOHK5+heXszADiXRDTzAcIVhPlgkkWEXmBZn+M3Ai91ANiiXC6wFQsIMtIAa+J9hAsMnBkkgu57hNcNlKJRkSGa4DYShqAbCuEEMEXDSmuEoWCwBaiDIVfMZ5gLJDIZZYBkWtJSAZGA8EGsyKAKV8wFZEFIXGMCyDBwMe5EiRQroRn1gWL4AupuNoZlhHy4DWcCxPBGYWEDsZWApRoYuhkcMZxhikQwEeXc3kPRmuAqMmN0M8oQjZRSMglEwdAEApo1TPo8MUVsAAAAASUVORK5CYII=

Which, if decoded from base64 to a file, contains the following:

.PNG........IHDR...(....
........V...7IDATx.c`...
`....+8.........A.]h....
$.@K.^.....3..I!.iP...0X
..LC..fx..30.1.gx.......
1Lg..1P..X.H.3xBIL.e..3x
......l.X........^^...%.
.<.p.a>X$.a...g.....@6(.
...B.......a..'.I ...5.e
(.dHf........A..p...(X,.
j .U.......Y`.....d`<.k2
(....Y.R.......{."E..F}`
X.......a...Y..<..X@.e`)

Hmm, a .PNG file? 🤔
payload
What’s that?!
Ah right, since we have no idea how the CMS for our intranet works, we forgot that little piece from the last week’s puzzle there. post Sorry! But thanks for the laugh!

?id=BVT{}

Sorry, no flag.

?id=********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************SELECT%20*

Wondering what you were trying to achieve with this one, if it was to get us to manually count all those 5900 asterisks before the SELECT, you succeeded!

?id=/-./../../../../../../../..flag

LFI is another common technique / vulnerability, thanks for the inspiration, we might make a challenge about that later!

The flag

BVT{ThouShallSanitizeAllInput}