Drobots
Write Up For HTB Cyber Apocalypse CTF 2023 Web challenge Drobots
Pandora’s latest mission as part of her reconnaissance training is to infiltrate the Drobots firm that was suspected of engaging in illegal activities. Can you help pandora with this task?
Overview
Welcome! In this blog post, we’ll explore a fun challenge called Drobots, where you’ll help Pandora infiltrate the Drobots firm suspected of engaging in illegal activities. We’ll walk through the source code, understand the vulnerabilities, and exploit them to retrieve the flag. Let’s get started!
Understanding the Source Code
To begin, let’s examine the source code provided to us. The code is divided into different files, and we’ll focus on the key files that will help us understand the vulnerabilities and exploit them.
Database Setup:
The first file we encounter is entrypoint.sh, which sets up the database and inserts an admin user with a randomly generated password. Here’s a snippet from the code:
1
2
3
4
5
6
7
8
9
10
11
CREATE DATABASE drobots;
CREATE TABLE drobots.users (
id INTEGER PRIMARY KEY AUTO_INCREMENT,
username varchar(255) NOT NULL UNIQUE,
password varchar(255) NOT NULL
);
INSERT INTO drobots.users (username, password) VALUES ('admin', '$(genPass)');
CREATE USER 'user'@'localhost' IDENTIFIED BY 'M@k3l@R!d3s$';
GRANT SELECT, INSERT, UPDATE ON drobots.users TO 'user'@'localhost';
FLUSH PRIVILEGES;
EOF
This code creates a database called drobots and a table called users to store user information. It inserts an admin user with a randomly generated password. We’ll need this information to log in later.
Flag Location
Next, let’s take a look at routes.py, specifically the /home route, where we can find the flag. Here’s the relevant part:
1
2
3
4
@web.route('/home')
@isAuthenticated
def home():
return render_template('home.html', flag=flag)
In this code snippet, we see that the /home route is protected by an isAuthenticated decorator. This means we need to log in to access the flag. Once authenticated, the home.html template is rendered, and the flag is passed as a variable.
SQL Injection Vulnerability
The exact file location for this section might be wrong. Please use the find feature in VS code or similar IDE/text editor to find the exact location of this query.
The login functionality in routes.py contains a significant vulnerability: it’s susceptible to SQL injection. Here’s the relevant code snippet:
1
2
3
# We should update our code base and use techniques like parameterization to avoid SQL Injection
user = query_db(f'SELECT password FROM users WHERE username = "{username}" AND password = "{password}" ', one=True)
In this snippet, we can observe that the username and password values are directly interpolated into the SQL query string. This allows an attacker to manipulate the query by injecting SQL code. Our goal is to exploit this vulnerability to bypass the login and retrieve the flag.
Exploiting the Vulnerability
Now that we understand the vulnerabilities present in the code, it’s time to exploit them and retrieve the flag. The following steps outline the process:
- Craft the payload: We need to construct a payload that exploits the SQL injection vulnerability. In this case, we can use the following payload as the password:
1
" OR 1=1; --
- Send the payload: We’ll use a tool like Burp Suite to send the payload to the server. The payload will be sent as a JSON object in the login request (
POST /api/login HTTP/1.1). Here’s an example of the payload:
1
{"username":"admin' --","password":"\" OR 1=1; --"}
Retrieve the flag: With the payload sent, the SQL injection will bypass the login and grant us access. We can then navigate to the
/homeroute, which will render thehome.htmltemplate and reveal the flag.Flag retrieval: After successful exploitation, we can find the flag in the rendered
home.htmltemplate. The flag for this challenge is:
1
HTB{p4r4m3t3r1z4t10n_1s_1mp0rt4nt!!!}
Review
The Drobots challenge provides a perfect opportunity for beginners to learn about SQL injection. By examining the source code and understanding the vulnerabilities, we were able to exploit the SQL injection vulnerability and retrieve the flag. It is essential to always read the comments and analyze the source code thoroughly to identify potential vulnerabilities.
Remember, SQL injection is a prevalent vulnerability that can lead to unauthorized access and data breaches. As a developer, it’s crucial to employ best practices like parameterization to prevent SQL injection attacks.
I hope this beginner’s guide has given you a solid foundation in understanding and exploiting SQL injection vulnerabilities. Stay curious, keep learning, and continue exploring the exciting world of cybersecurity!