This article is part 1 of a 10 series blog detailing the approaches and solutions to hacking through Stripe’s 2012 CTF 2.0. To continue from the parent article, or see more hacks, please click here.
This blog entry details the approach used by Chad Harchar in attacking the Stripe CTF 2.0 Challenge Level 0.
For the first level, we are given a Secret Safe that stores secrets, including the one we need to advance to the second level. We are shown multiple text fields on the page, but the one we are most interested in is the field to retrieve your secrets.
Looking at the code, we see that there is a post method and a get method.
The post method invokes a SQL query:
‘INSERT INTO secrets (key, secret) VALUES (? || “.” || ?, ?)’
This creates a secret with the key to that secret using two strings with a “.” between them.
The get method invokes a SQL query:
‘SELECT * FROM secrets WHERE key LIKE ? || “.%”‘
This gets the secret where the key begins with the given string and has a “.” in it. Since the SQL wildcard “%” matches any string, if we pass the get method “%” we can retrieve the secret and continue to Level 1.
These solutions are presented as a unique approach to a recent CTF hacking contest as an outreach of the Credera Security Team. All ‘hacking’ was performed in an ethical manner in accordance with Credera’s Core Values. For further information on Credera’s offerings in ethical hacking, security, compliance, and OWASP preparedness please contact us at firstname.lastname@example.org