PlaidCTF 2022 Amongst Ourselves: Shipmate writeup

An interesting oneamongstA synthesis of the game as the backgroundctf题目,比赛时候webAlmost out,以webRe-read and understand the question from the perspective of the hand.

PPP is proud to announce a completely original, platform-exclusive game for Plaidiverse! With novel socially deceptive mechanics, Amongst Ourselves has been recognized with the “Best-In-Class” and “Best Narrative Game” awards at the 2022 Plaidies℗℗℗ Game Awards. Available now at e-shops near you in the Plaidiverse!! 机翻：PPPProud to announce a completely original,Platform-specific games are plaaidiverse !With a novel social deception mechanism,《between Ourselves》获得了2022年Plaidies℗℗℗Game awards的“best class”和“最佳叙事游戏”奖.Available now at electronics stores near you!!

题目一共有5个flag,对应web,misc,pwn,re,crypto5Each direction has a sub-question.And the title gives the source code,可以在本地用docker起环境.

题目就是amongstThis game is the background,From the perspective of survivors5个小题,There is also a traitor perspective2But we don't have a lot of ideas or ideas.Survivors are thereamongstIn the game, you need to complete the mini-game to win,The topic is fixed5games and each game has a vulnerability,It can be obtained through loopholesflag.

Provide Credentials

Green starts teleporting wildly around The Shelld before suddenly disappearing. Meanwhile, Brown inspects the access logs on the ship’s computer to piece together a timeline of the murders. (Web.)

首先是web题,The title description is about the computer on the ship,Then this task is to give you an account password to enter,Once entered correctly, the task is completed.

But here because the incoming statement is spliced ​​into itsql语句,那么就可以sql注入.

Let's take a look at the given source code first,The query effect that the game itself wants to achieve is just,First of all he has three accounts,Then he will randomly give you one written on the right side of the game,The number you entered is the number he gave you,He will check to see if it is queried first1行信息,Then this line of informationidand what he wants you to checkid是不是一样,For example, he wants you to checkzuck这个id是1的用户,But your query returnsrandall这个id是2The line of information for the user,那么也是会报错的,Constructed in the backsqlWhen inquiring, you need to pay attention to this,

   //过滤部分
   // No sql injection
   username = username.replace("'", "''");
   password = password.replace("'", "''");

 	// Max length of username and password is 32
username = username.substring(0, 32);
password = password.substring(0, 32);

   pool.query<{ id: number; username: string }>(
     `SELECT id, username FROM users WHERE username = '${username}' AND password = '${password}'`
   )
     .then((result) => {
       if (this.complete) {
         throw new Error("Invalid state");
       }

       if (result.rowCount !== 1) {
         throw new Error("Invalid credentials");
       }

       if (result.rows[0].id !== this.credentials.id) {
         throw new Error("Invalid credentials");
       }

       this.complete = true;
       this.updatePlayers();
       player.pushUpdate(
         new GameUpdate.ProvideCredentialsResponse({
           success: true,
           message: `Successfully logged in as ${result.rows[0].username}`
         })
       );
     })
     .catch(() => {
       player.pushUpdate(
         new GameUpdate.ProvideCredentialsResponse({
           success: false,
           message: "Invalid credentials"
         })
       );
     });

那么sqlThe sentences are concatenatedusername和password的内容,然后sqlThe injected filter first replaces the quotes with two quotes,Then truncate the length32个字符,to limit the length,Splicing in againsql语句,Note this herepool.query,We can see that this database ispostgres.

一开始我的想法是,username:admin\,password:or 2>1 limit 1 #（这里passwordConstructing a true statement is actually not quite correct,即便\Quotes can be escaped,such a structuresql语句一定会返回usersThe first message of the table,But the game wants you to query not necessarily the first user,It is also possible to report an error,It should be queried using joint injectionflag这个表的flag字段,And the joint injection has just two fields, so the first field isidWe make him the user who wants us to queryid,Check the second fieldflag表的flag就可以了,This is just the structure I thought at the time）,将sql语句变成SELECT id, username FROM users WHERE username = 'admin\' AND password = 'or 2>1 limit 1 #',用\Escape the second quote,用#Comment out the last quotation mark,Then it becomes fromusersThis table is satisfiedusername ='admin\' AND password = ' or 2>1 limit 1 #'条件的结果,And there is a local environment to print to see what statement was executed,So after checking, this statement is indeed executed,But it just can't query something from the database,导致一直Invalid credentials,The query result is always empty,对于sqlThe statement error has always been strange to us, but nothing has been checked out.

后来xiaoyuThe principal did it,I just found out the reason for the errorpostgresql9Available in previous versions\进行转义,But the title is usedpostgres:13.6,在9之后的版本,\变成了普通字符,Want to escape characters with backslashes,Either prepend the string that needs to be escapedE,比如E'ek\'1ng',This turns the quotes into 'ek'1ng',But in the context of the subject we obviously can't,Another way is to escape single quotes with single quotes'ek''1ng',这样也可以得到'ek'1ng',But the question is not to replace the single quotes with two single quotes,We still can't enter a single quote to escape the following single quote？

Here you need to use the interception given by the title32character part,Because it is first to replace a single quote with two single quotes,然后再截取前32个字符,Then we just need to piece together31characters followed by a single quote at the end,After the single quote becomes two single quotes,33characters are truncated off the last one,to bypass the restriction on single quotes,Thus reaching and we want to escapeusernameThe purpose of the trailing single quote.

此时username为1234567890abcdef1234567890abcde',passwordWe can do whatever we wantsql语句了.

And the title gives the file to initialize the databaseinit.sql,

CREATE TABLE users (id serial primary key, username text, password text);
INSERT INTO users (username, password) VALUES ('zuck', 'hunter2');
INSERT INTO users (username, password) VALUES ('randall', 'correcthorsebatterystaple');
INSERT INTO users (username, password) VALUES ('richard', 'cowabunga');

CREATE TABLE flag (flag text);
INSERT INTO flag (flag) VALUES ('PCTF{SAMPLE_WEB_FLAG}');

CREATE USER amongst WITH PASSWORD 'amongst';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO amongst;

我们可以看到除了3a user and password to complete the game,还有一个flag表,flagThere is a field in the tableflag,flagThe value of is what we're taking.

So like above,Bypass the quotes and use union to inject the queryflag表,就可以得到flag辣.

1234567890abcdef1234567890abcde'

UNION SELECT 1, flag from flag--

填1,2还是3Depends on the user he wants you to queryid是几,不然会报错,The local environment is successfully connected.

Next, hit the remote environment,It was also successfully opened