Skip to content

Objective #6: Badge Manipulation

Problem

Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available . What is the access control number revealed by the door authentication panel? For hints on achieving this objective, please visit Pepper Minstix and help her with the Yule Log Analysis Cranberry Pi terminal challenge.

Hints

Pepper Minstix provides the following hint:

All of the Kringle Castle employees have these cool cards with QR codes on them that give us access to restricted areas.

Unfortunately, the badge-scan-o-matic said my account was disabled when I tried scanning my badge.

I really needed access so I tried scanning several QR codes I made from my phone but the scanner kept saying "User Not Found".

I researched a SQL database error from scanning a QR code with special characters in it and found it may contain an injection vulnerability.

I was going to try some variations I found on OWASP but decided to stop so I don't tick-off Alabaster.

Pepper Minstix also provides links for a website that generates QR codes https://www.the-qrcode-generator.com/ and a webpage from OWASP about SQL Injection https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF#Auth_Bypass

Solution

We're presented with a door badge reader that we can interact with by uploading images of QR codes.

Screenshot

Screenshot

Using an online QR decoder, we discover that Alabaster's badge decodes to a value of oRfjg5uGHmbduj2m. Since this value is probably handled by some backend database programming, we can test it for an injection flaw.

Add a SQL injection string to the original value and encode it into a QR code. 

oRfjg5uGHmbduj2m'--

When it's presented to the Scan-o-matic, here's what happens:

EXCEPTION AT (LINE 96 "user_info = query("SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '{}' LIMIT 1".format(uid))"): (1064, u"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 1' at line 1")

This input produces an invalid SQL query on the backend that's exposed through the user interface. This is great, because it means less guesswork as to what's needed to create a successful injection string. Let's try to create a valid SQL query:

oRfjg5uGHmbduj2m' or '1'='1

Now we get:

Authorized User Account Has Been Disabled!

So the query is now valid, but the account that it matches it disabled. From the SQL query in the error message above, we can see that there is a column named "enabled". Maybe we can alter the SQL query in a way that forces that to a value of true.

oRfjg5uGHmbduj2m' or '1'='1' and enabled = '1

Now we're granted access, and can proceed into Santa's secret room:

User Access Granted - Control number 19880715

Answer: 19880715