root💀senseicat:~#

Hack. Eat. Sleep. Repeat!!!

Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham

CHRONOS-CTF

Challenges

Web-:
Requests
ChatBot-v1
ChatBot-V2
Chatbot-v3
Extension

ChatBot-V1

I checked the source and noticed a minified js file.

I beautified the source code and read through it.The variable highlighted points to an hidden html file.

Devtools-:

Found the flag in the page-:CSCTF{r0le_manag3d_vi4_localStorage_1s_b4d}

ChatBot-v2

I checked the javascript and noticed the javascript code that the app uses to load conversations.The code uses hash type md5 to hash an integer and passes it to endpoint /load_conversation to load conversations.The code snippet is vulnerable to IDOR.The mode of creating IDs is weak and can easily be replicated leading to access to other users’ conversations.

unction loadConversation(conversationId) {
            currentConversationId = md5sum(conversationId.toString()); 
            fetch(`/load_conversation`, {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({ conversation_id: currentConversationId })
            })
            .then(response => response.json())
            .then(data => {
                const chatBox = document.getElementById('chat-box');
                chatBox.innerHTML = ''; 

I generated md5 ids with python3.

>>> import hashlib
>>> for i in range(100): print(hashlib.md5(str(i).encode()).hexdigest())

Fuzzed with burpsuite and got the flag-:CSCTF{y0u_c4n7_h1d3_fr0m_1D0R}

Chatbot-v3

In this version, the dev has patched up the idor issue by generating guids/uuids.

But, it is vulnerable to sql injection.I tested based on True and False Statements to finalize that it is vulnerable to blind sqli injection.True statement reaction reveals the values of the identifier-:

It appears otherwise in the false statement-:

The sql injection is weird because I couldn’t read from columns and tables but I could call default functions like sqlite_version() but I was able to read the flag by matching for data(sender column) that starts with l.I was trying to match LazyTitan because that user seems to hold the flag for the chatbot challenges.The main idea is that the statement only allow you to read columsn only from that table.We can do that with the substr() sqlite3 function and then match characters with LIKE.Matching sender LazyTitan seems to spit out the flag but since we specified postion substr(sender,1,1), we’ll match only L.Payload-:

{"conversation_id":"e3354de4-b91b-4e9f-8e10-f0157210bfed' or substr(sender,1,1) like '%L%'--+"}

Flag-:CSCTF{H4ck3d_V14_SqL_1nj3ct10n}

Extension

I don’t get the idea behind this challenge but I guess it is browser escape.Maybe unintended or intended, this was how I solved it.We got presented with a vnc browser to solve the challenge.I couldn’t load the urls but I noticed that I could read the files with the file:/// protocol in the first tabs and not other tabs.

Now how can we spot important files to read, I noticed an importing bookmarks functinality that allows us to import bookmarks on firefox.I can use this to spot important files to read.

Then, click on other other files

I was able to get other important files to read.

The flag is located in /app/embed_flag.py-:

Flag-:CSCTF{1ntricat3_ext3nsi0n_wIth_m@LiciOu$_iNt3nt}