This one was really rewarding.
Challenge: The website isn’t really me much, but you can still get the admin password, right?
Hint: Sometimes an error message can be just as useful
So, the landing page looked like this:
Based on the description we know the username is admin so let’s focus on the password field.
Entering a single quote results in an error, great, there is a problem with the query, we know the syntax and it appears to be injectable.
' and 1=1-- results in an Incorrect Password.
' or 1=1-- results in an interesting message:
We were stuck here for a bit, but then one night got an idea based on these 2 pieces of information:
- We’re specifically looking for the Admin password
- We know the query for the password field, so let’s ask it specific questions about the password
The query we used moving forward was:
' or pass LIKE "%"-- which also gave the interesting message Login Functionality Not Complete. Flag is 63 characters
Note the use of the LIKE operator
Does the password start with…?
' or pass LIKE "a%"-- : Incorrect Password.
' or pass LIKE "b%"-- : Incorrect Password.
' or pass LIKE "n%"-- : Login Functionality Not Complete. Flag is 63 characters
' or pass LIKE "o%"-- : Incorrect Password.
Alright, now we’re getting somewhere. The first letter of the password is n
A bit of Go code, found on github, and a few POST requests later, 1,215 to be exact:
…and our flag is: not_all_errors_should_be_shown_fb83c582ee9b64d1f446cfd01702e7c5