Quarantine Web Challenges

Quarantine

Web [200pts]

Description: See if you can get access to an account on the webapp.

So starting off on the main page, we see a login page and an inaccessible Admin and Register page. When trying to log in, an “Invalid username / password” message appears.

Trying the generic SQL injection: lmao’ or 1=1 — for the username gives us a message: “Attempting to login as more than one user!??”

So we try testing our UNION SELECT payloads. Trying this payload:

lmao’ UNION SELECT 1,2,3 — allows us to log in, indicating there are three columns here.

Quarantine – Hidden Information

Web [150pts]

Description: We think there’s a file they don’t want people to see hidden somewhere! See if you can find it, it’s gotta be on their webapp somewhere…

This challenge takes place within the same web server as all the other Quarantine based ones. So, looking at robots.txt gives us:

When navigating to /admin-stash, we see our flag.

Quarantine – Finding server information

Web [350pts]

Description: See if you can find the source, we think it’s called app.py

Using the same login credentials as Quarantine (See above), we are able to log in and view the /videos page. Clicking on a video will show an mp4 being rendered on the page.

Our goal is to find the app.py file somewhere within this application. So trying out some random values for /watch/[input] gives a server error. When we try /watch/app.py, we see that it does not give an error and that there is no video showing.

Checking the page source, we receive our flag:

Quarantine – Getting admin

Web [300pts]

In this challenge, after logging in using the above credentials, we are unable to access the /admin page but are given cookies.

It turns our the cookies are HS256 and there is a well-known vulnerability for JWTs. We can simply turn out cookie algorithm from “HS256” to “None” and upgrade the privilege from 1 to anything higher, granting us access to /admin.

Doing so and pasting our new cookie, we are able to go to /admin and get our flag:

I did find an (unintended) solution for this as well, using the login credentials as: admin’ union select 1,2,3,4 — , I was able to log in as well as navigate to the /admin page. When checking the cookie, it seems that the privilege was 4, indicating that I manipulated that column through injection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s