CTF CHALLENGES WRITE-

UP
HANSAKA COSTA; TP048451 / APD2F2109CS(CYB)

MAY 13, 2022

CT126-3-2 / PRACTICAL CTF STRATEGIES
HANSAKA COSTA TP048451 CT126-3-2

Table of Contents
1. Introduction...................................................................................................................................2
2. PicoCTF Platform..........................................................................................................................3
3. Web Exploitation Challenges........................................................................................................5
3.1 CHALLENGE - SQLiLite.....................................................................................................5
3.2 CHALLENGE – Irish-Name-Repo 3...................................................................................10
4 Special Tools...............................................................................................................................16
4.1 Kali Linux + Curl.................................................................................................................16
4.2 Mozilla Firefox Inspector....................................................................................................17
5 Conclusion...................................................................................................................................18
6 References...................................................................................................................................19

1|Page
HANSAKA COSTA TP048451 CT126-3-2

1. Introduction

Capture The Flag (CTF) cybersecurity games expose an individual to real-life cybersecurity
challenges and act as a great educator to season students, amateur and experienced
cybersecurity professionals alike in a fun atmosphere. The purpose of this assignment is to
pick a specific sub-branch of cybersecurity and successfully solve related CTF cybersecurity
challenges and puzzles across any CTF platform, meanwhile methodically documenting the
process of capturing the game flag. Web Exploitation was selected as the CTF games
category for this assignment – which focuses on securing flags hidden behind access
gateways or within the website resources, by either practically gaining unauthorized access or
using tools to inspect website resources.

All CTF games documented in this report were hosted on PicoCTF platform.

2|Page
HANSAKA COSTA TP048451 CT126-3-2

2. PicoCTF Platform

Figure 1: PicoCTF Home page (PicoCTF - Home, 2022).

For the purpose of this assignment, each of the three chosen web exploitation challenges (two
challenges to satisfy requirements of this assignment and one extra challenge because it was
fantastic and would be a shame to not add to the report) were hosted on PicoCTF platform.
Each challenge would award ‘300 points’ upon successfully securing the flag – which is
considered to be ‘medium’ difficulty.

The PicoCTF platform (figure 1) is created and owned by Carnegie Mellon University since
the 2013. The challenges are created by security and privacy experts at the university. This
platform consists of 2 areas – PicoCTF competitions, and PicoGym.

PicoGym has 6 verities of challenges. These are:

 Web Exploitation
 Cryptography
 Reverse Engineering
 Forensics
 General Skills

3|Page
HANSAKA COSTA TP048451 CT126-3-2

 Binary Exploitation

Figure 2: Web exploitation category of PicoCTF (Web Exploitation, 2022).

The Web Exploitation category (figure 2) of PicoCTF will introduce the player to a plethora
of CTF challenges focused on basic to advanced penetration of website resources ranging
from the required skillsets such as inspection of website resources and SQL injection for
more complicated challenges.

4|Page
HANSAKA COSTA TP048451 CT126-3-2

3. Web Exploitation Challenges

3.1CHALLENGE - SQLiLite

Figure 3: SQLiLite web exploitation challenge found in PicoCTF (PicoCTF - SQLiLite, Web
Exploitation, 2022).

 Challenge Name: SQLiLite

 Challenge Category: Web Exploitation
 Challenge Difficulty: 300 points (medium)

The SQLiLite challenge (figure 3) by Mr. Mubarak Mikail focuses on gaining unauthorized
access through a secured access page (figure 5) to secure the flag. The hint provided (figure
4) suggests that the username is “admin”.

5|Page
HANSAKA COSTA TP048451 CT126-3-2

Figure 4: SQLiLite challenge "hints" (PicoCTF - SQLiLite, Web

Exploitation, 2022).

Figure 5: A login page - objective is to bypass the secure filtering (PicoCTF - SQLiLite, Web
Exploitation, 2022).

Any random combination would give a “login failed” outcome (figure 6). In the following
attempt, “admin” was used as the username and password.

Figure 6:Login failed for incorrect password (PicoCTF - SQLiLite, Web Exploitation, 2022).

6|Page
HANSAKA COSTA TP048451 CT126-3-2

Upon investigating the code for any hard-coded passwords (figure 7), exploitable ‘.php’ files
or any other exploitable cookies, and finding no such vulnerabilities, SQL injection was used
to manipulate the database into granting access.

Figure 7: SQLiLite secure login page html code viewed using 'Inspector' function – no
vulnerabilities (PicoCTF - SQLiLite, Web Exploitation, 2022).

When the data is transferred from and to ‘Curl’ in ‘Kali Linux’ while listening for SQL
query, we get the following SQL query output (figure 8).

 Curl https://saturn.picoctf.net:64609/login.php --data “password=test&debug=1”.

Figure 8: Curl output for SQL injection test.

7|Page
HANSAKA COSTA TP048451 CT126-3-2

Judging by the SQL query received, there is nothing sophisticated and a simple classic SQLi
command can be used to authenticate through the login page.

For SQL injection, there are multiple ways of manipulating the database – it is simply a
matter of convincing the database that either the password is correct, call all passwords, or to
ignore the password. For this challenge the following SQL command was injected into the
database using the password field.

 ‘ OR ‘1’=’1

This SQL command, much like many other SQL commands employ the understanding that
“1=1” is always true and returns as password is verified for the username entered (SQL
Injection, 2022). Login attempt was successful by entering the above SQL command (figure
9).

Figure 9: Successfully logged in (PicoCTF - SQLiLite, Web Exploitation, 2022).

Furthermore, the flag was hidden in the html code under a ‘hidden’ parameter (figure 10) and
was awarded 300 points upon submitting it (figures 11-12).

8|Page
HANSAKA COSTA TP048451 CT126-3-2

Figure 10: Flag found in HTML code – using inspector (PicoCTF - SQLiLite, Web
Exploitation, 2022).

Figure 11: Submitting found flag for SQLiLite (PicoCTF - SQLiLite, Web Exploitation,
2022).

Figure 12: 300 points awarded (PicoCTF - SQLiLite, Web Exploitation, 2022).

9|Page
HANSAKA COSTA TP048451 CT126-3-2

3.2 CHALLENGE – Irish-Name-Repo 3

Figure 13: Irish-Name-Repo 3 challenge . (Irish-Name-Repo 3, 2022)

 Challenge Name: Irish-Name-Repo 3

 Challenge Category: Web Exploitation
 Challenge Difficulty: 400 points (difficult)

Irish-Name-Repo 3 (figure 13), part of the Irish-Name-Repo series of web exploitation

challenges, much like SQLiLite, focuses on gaining access across a secured login page within
a seemingly normal webpage (figure 14). However, in this challenge, by default the username
is field is taken out and the player is expected to login as the “Admin” (figure 15).

The hint provided (figure 16), states that the passwords are encrypted.

10 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

Figure 14: Home page of Irish-Name-Repo 3 web page (Irish-Name-Repo 3, 2022).

Figure 15: Admin login page for Irish-Name-Repo 3 challenge (Irish-Name-Repo 3, 2022).

Figure 16: Hint for Irish-Name-Repo 3 (Irish-Name-Repo 3, 2022).

11 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

Upon inspecting the code (figure17) for any hard-coded clues or vulnerabilities, the only clue
seems to be “login.php” which holds the website-database connection and authentication
code.

Figure 17: Source code for the web page – using inspector (Irish-Name-Repo 3, 2022).

The following couple of basic SQL query commands were inserted as a password string with
the hope of authenticating. However, as expected, all resulted in failure as the password is
encrypted (figure 18).

 ‘OR’1’=’1
 ‘OR’1=1

Figure 18: All typical SQL injections lead to "Login failed" web page (Irish-Name-Repo 3,
2022).

12 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

Using the information gathered so far, it is now possible to use ‘Curl’ in Kali Linux to get a
reaction from the login page along with SQL query to better understand how the database is
structured (figure 19).

 curl “https://jupiter.challenges.picoctf.org/problem/29132/login.php” --data

“password=test&debug=1”.

Figure 19: Curl output for the login.php - showing SQL query.

According to curl, the password “test” that was used to attempt authenticate into the database
was translated to “grfg” – through encryption like the hint of this challenge stated. Both “t”s
in the password “test” was translated to “g”s in that exact position. This is why previous SQL
injections did not work – as the entered strings are being translated via encryption.

Therefore to understand what the SQL injection query would look like after being encrypted,
curl was used once again to inject the following SQL command (figure 20).

 ‘OR’1’=’1
 curl “https://jupiter.challenges.picoctf.org/problem/29132/login.php” --data
“password=’OR’1’=’1--&debug=1”.

Figure 20: SQLi conducted against the authentication page via curl.

13 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

As visible on the output of curl, the string “OR” was encrypted into “BE” by. Therefore, in
order for the SQL injection to work, the password string should contain the following code
(figure 21):

 ‘BE’1’=’1
 curl “https://jupiter.challenges.picoctf.org/problem/29132/login.php” --data
“password=’BE’1’=’1”.

Figure 21: Flag secured using SQL injection.

The login page was successfully authenticated via SQL injection and the flag was secured
and the points were awarded upon submission of the flag (figures 21-23).

Figure 22: Submission of the secured flag (Irish-Name-Repo 3, 2022).

14 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

Figure 23: 400 points were awarded for the completion of the Irish-Name-Repo 3 challenge
(Irish-Name-Repo 3, 2022).

4 Special Tools

15 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

To successfully secure the flag in the above challenges, a few tools were used. These are:

4.1 Kali Linux + Curl

Figure 24: Kali Linux by offensive security (‫كالي لينكس‬2022).

,

Kali Linux (figure 24) is a Debian based Linux operating system with an arsenal full of
cybersecurity tools, among which is Curl (figure 25).

(KALI, 2022)

Figure 25: Curl (Baydan, 2017).

Curl is a powerful tool used for the purpose of automating the transfer of various types of
traffic and data to and from a server (Baydan, 2017).

16 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

4.2 Mozilla Firefox Inspector

Figure 26: Mozilla Firefox Inspector tool (Houser, 2018).

Mozilla Firefox’s “inspector” is used for the purpose of examine the HTML and CSS code
behind a website. It allows for remote debugging (Houser, 2018). It acts as the primary tool
of every web security specialist.

(Page Inspector, n.d.)

5 Conclusion

17 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

Given the evidence presented in the above web exploitation challenges, a simple ill-
configured database could clearly be the downfall of an organization’s secure credentials.
Furthermore, insecure coding practices such as hard-coding passwords and leaving
vulnerable cookies on a website could will allow hackers to gain easy access to web-
resources. With the development of Web 2.0, and the eventual evolution to Web 3.0, most
confidential resources across the globe would be up on the internet for hackers to exploit.
Therefore, knowledge of web exploitation is critical for cybersecurity students and general
security enthusiasts. CTF Web Exploitation challenges such as those documented on this
write-up are the closest real-world experience that could be achieved while experimenting
and learning in a safe and fun environment. These CTF challenges build the necessary hard
skills and knowledge required to excel in cybersecurity and thereby fashion better security
experts for the future.

Furthermore, I would like to take a moment to thank my lecturer Ms. Yusnita Yusof for
taking the time to pass us such critical knowledge. As your last educational batch before your
retirement, I wholeheartedly appreciate your efforts and hope may other students too get the
opportunity to get a lecturer like yourself. I hope you have an amazing retirement.

18 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

6 References

Andy. (2014, July 19). php - what’s the meaning of “admin” OR 1=1 -- '. Stack Overflow;
Stack Overflow. https://stackoverflow.com/questions/24843689/whats-the-meaning-
of-admin-or-1-1
David. (2022, May 11). CTFs. GitHub; GitHub.
https://github.com/Dvd848/CTFs/blob/master/2019_picoCTF/Irish-Name-Repo_3.md
Irish-Name-Repo 2. (2022). PicoCTF; PicoCTF.
https://play.picoctf.org/practice/challenge/59?category=1&originalEvent=1&page=1
Irish-Name-Repo 3. (2022). PicoCTF; PicoCTF. https://play.picoctf.org/practice/challenge/8?
category=1&originalEvent=1&page=1
Javanicus, Z. (2014, April 3). Login Bypass Using SQL Injection. Www.securityidiots.com;
Security Idiots. http://www.securityidiots.com/Web-Pentest/SQL-Injection/bypass-
login-using-sql-injection.html
SQL Injection Cheat Sheet. (n.d.). Www.invicti.com; Invicti Web Security Blog. Retrieved
May 12, 2022, from https://www.invicti.com/blog/web-security/sql-injection-cheat-
sheet/
SQLiLite. (2022). PicoCTF; PicoCTF. https://play.picoctf.org/practice/challenge/304?
category=1&originalEvent=70&page=1
Using SQL Injection to Bypass Authentication. (2022). Portswigger.net; Port Swigger.
https://portswigger.net/support/using-sql-injection-to-bypass-authentication
W3Schools. (2019). SQL Injection. W3schools.com; W3 Schools.
https://www.w3schools.com/sql/sql_injection.asp
Web Exploitation. (2022). PicoCTF; PicoCTF. https://play.picoctf.org/practice?
category=1&originalEvent=70&page=1
Baydan, I. (2017, February 6). Linux curl Command Tutorial – POFTUT. Www.poftut.com;
POFTUT. https://www.poftut.com/linux-curl-command-tutorial-examples/
Houser, C. (2018, May 16). How to Use the Firefox “Inspect Element” Tool to Examine a
Site. Make Tech Easier; Make Tech Easier. https://www.maketecheasier.com/firefox-
inspect-element-tool/
Page Inspector — Firefox Source Docs documentation. (n.d.). Firefox-Source-
Docs.mozilla.org. Retrieved May 10, 2022, from https://firefox-source-
docs.mozilla.org/devtools-user/page_inspector/

19 | P a g e
HANSAKA COSTA TP048451 CT126-3-2

Our Most Advanced Penetration Testing Distribution, Ever. (2019, December 31). Kali.org.
https://www.kali.org
‌

20 | P a g e