{"id":293,"date":"2019-01-17T06:04:21","date_gmt":"2019-01-17T06:04:21","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=293"},"modified":"2019-01-17T06:04:23","modified_gmt":"2019-01-17T06:04:23","slug":"objective-6-badge-manipulation","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/objective-6-badge-manipulation\/","title":{"rendered":"
Objective 6: Badge Manipulation<\/center>"},"content":{"rendered":"\n

Objective 6 we need to bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel?<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

If we have already completed the Yule Log Analysis Cranberry Pi terminal challenge by Pepper Minstix, then we get this hint.
\n“All of the Kringle Castle employees have these cool cards with QR codes on them that give us access to restricted areas.
\nUnfortunately, the badge-scan-o-Matic said my account was disabled when I tried scanning my badge.
\nI needed access, so I tried scanning several QR codes I made from my phone, but the scanner kept saying “User Not Found”.
\nI researched a SQL database error from scanning a QR code with special characters in it and found it may contain an injection vulnerability.
\nI was going to try some variations I found on OWASP but decided to stop, so I don’t tick-off Alabaster.”<\/p>\n\n\n\n

Also, this hint link<\/a>.
As well as this link<\/a> to create a QR code.<\/p>\n\n\n\n

So, we need to unlock this door, and we have already had a sample of an employee badge. Of a very umm, sexy? Elif it seems.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

When we try to access the door, we see with this screen.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Let’s see what happens when we try to use the sample badge, and it only takes .png files! <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So let’s open it in the paint (or you can use anything else) and save it as a .png file. Now we get.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

“Authorized User Account Has Been Disabled!” Dammm!
What if we use the Finger.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Nope, now we get “QR Code Not Found. Only QR Code and White Space may be visible!”<\/p>\n\n\n\n

If we were to run inspector mode within Firefox as we upload the same file again, we see a new record “upload”, and in the Params, we can look at some data\u2026 I guess it’s time for Burp Suite!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Also, this is what we get if we use the finger method.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

However, before we can use Burp Suite, we need to find a way on how to better access the Badge Scan-O-Matic 4000.
\nWithin Firefox inspector mode we can see there is a direct URL (Just like in Objective 3 De Bruijn Sequences)
\n“https:\/\/scanomatic.kringlecastle.com\/index.html?challenge=qrcode”<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Ah, so much better!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So, from the hints, it’s all aiming towards an SQLI (SQL injection), and the URL doesn’t give much here, “https:\/\/scanomatic.kringlecastle.com\/index.html?challenge=qrcode” So, it has to be something with the Badge Scan-O-Matic 4000!
Sending the .png again but with Burp Suite open, we can see this.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Let’s tidy this up, as we don’t need the PNG data here. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Much better! Now, we need to get a successful SQLI working\u2026\u2026\u2026
Right, so the Scan-O-Matic 4000, accepts QR codes in PNG and reads them\u2026 There is no SQLI within the URL itself, so it’s within the Scan-O-Matic 4000 itself, And we get a link on creating our barcodes\u2026 I wonder what would happen if I was to make one with just the (‘) inside of it, and then uploaded it.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

Moreover, we have a successful SQLI! <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
 \"{\"data\":\"EXCEPTION AT (LINE 96 \\\"user_info = query(\\\"SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '{}' LIMIT 1\\\".format(uid))\\\"): (1064, u\\\"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '''' LIMIT 1' at line 1\\\")\",\"request\":false}\" <\/code><\/pre>\n\n\n\n
Let’s look at this “error” more clearly “SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = ‘{}’ LIMIT 1” The injection point is here (AND uid = ‘{}’).
\nSo the server will normally run this SQL query “SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = ‘{}’ LIMIT 1”
\nlet’s change this and inject (‘ OR enabled#) Then the server runs the query like this “SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = ‘ OR enabled#’ LIMIT 1”
\nWhy will this work? Well in most common programming languages the # is read as a comment, and the server\/computer not run anything after the #. It’s mainly for users to read what others have done, or what needs to get done.
\nSo now the server reads it as “SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = ” OR enabled”(Like the # and anything after that won’t be read by the computer).
\nWhich will now authorized “authorized = 1” and enabled the user “uid = ” OR enabled)<\/p>\n\n\n\n
Now we know what to do, we need to create another QR code PNG and get our answer!
\n<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Moreover, We got our Control number 19880715!<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
 ({\"data\":\"User Access Granted - Control number 19880715\",\"request\":true,\"success\":{\"hash\":\"ff60055a84873cd7d75ce86cfaebd971ab90c86ff72d976ede0f5f04795e99eb\",\"resourceId\":\"false\"})) <\/code><\/pre>\n\n\n\n
Another one down!<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Also, look whom we find here!
<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"
Objective 6 we need to bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel? If…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[13,14,12],"class_list":["post-293","post","type-post","status-publish","format-standard","hentry","category-kringlecon-2018","tag-13","tag-ctf","tag-kringlecon"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-4J","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=293"}],"version-history":[{"count":1,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/293\/revisions"}],"predecessor-version":[{"id":316,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/293\/revisions\/316"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}