Capture the Flag - No Eyes

Challenge: The website isn't really me much, but you can still get the admin password, right?

Hint: Sometimes an error message can be just as useful

This one was really rewarding.

So, the landing page looked like this:

landing page

Based on the description we assume the username is admin so let's focus on the password field.

Entering a single quote results in an error, great, there is a problem with the query, we know the syntax and it appears to be injectable.

sql error


' AND 1=1-- results in an Incorrect Password.

' OR 1=1-- results in an interesting message:

sql error

We were stuck here for a bit, but, one night I got an idea based on these 2 pieces of information:

  1. We're specifically looking for the admin password

  2. We know the query for the password field, so let's ask it specific questions about the password

The query we used moving forward was: ' OR pass LIKE "%"-- which also gave the interesting message:

Login Functionality Not Complete. Flag is 63 characters

Note the use of the LIKE operator

Does the password start with...?

  • ' or pass LIKE "a%"-- : Incorrect Password.
  • ' or pass LIKE "b%"-- : Incorrect Password.
  • ' or pass LIKE "n%"-- : Login Functionality Not Complete. Flag is 63 characters
  • ' or pass LIKE "o%"-- : Incorrect Password.

Alright, now we're getting somewhere. This is a blind SQL injection, we can't see the results of our queries, but, we can infer the results based on the error messages.

We know the password starts with n. Let's try the next character, and the next, and the next...

A bit of Go code and a few POST requests later (1,215 requests to be exact):

terminal solution

...we got the flag: