Thursday, August 9, 2018

TJCTF - Ess Kyoo Ell Writeup

by Guilherme "k33r0k" Assmann

This challenge is interesting, sometimes it does not seem very realistic, but if you take the side of that every time the developers try to make everything more automatic, it fits perfectly in this question!

At first it seemed like a lot of sql injection for auth bypass, I tried some simple injections like 'or 1 = 1 # and derivatives

But looking more closely, it is trying to get something out of a password column that does not even seem to exist, if this was bugged, they probably would have corrected it, but in fact, what happens is that the parameters of the post are the columns!

By doing a simple test, we can confirm this:

In order not to confuse the parameter with its value, and leave the injection in the parameter key, I used the = encode, not to occur is confusion internally:

Well, it was clear that we were able to dump a user, but, the description tells us that we need the ip of the admin, so what I did was try to look for the user admin through the injection…

Then the flag is tjctf{}

Capture the Flag , Writeup