📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	PicoGym	Event Link
🔰 Category	Web	🌐
💎 Points		Out of 500 total
⭐ Difficulty	🟡 Medium	Personal Rating: 0/10
👤 Author	Mubarak Mikail	Profile
🎮 Solves	22.058	solve rate
📅 Date	30-01-2025	PicoGym
🦾 Solved By	mH4ck3r0n3	Team:

📝 Challenge Information

Can you login to this website?

🎯 Challenge Files & Infrastructure

Provided Files

1	Files: None

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

with a login screen. Given the name of the challenge, I immediately thought of an SQL Injection. In fact, by trying to access the page with username=' OR 1=1 -- - and password=' OR 1=1 -- -, I instantly obtained the flag. However, while inspecting the source, I also noticed a debug parameter, which was set to 0 by default. But by changing it to 1 and inspecting the page, if I tried to log in with any username or password that didn’t exploit SQL Injection, it redirected me to a debug page, where it showed me how the query was constructed:

in fact, by trying to enter username=aa and password=aa with debug=1, I obtained the following page:

now that we have enough information, let’s move on to the exploit.

🔬 Vulnerability Analysis

Potential Vulnerabilities

• SQL Injection

🎯 Solution Path

Exploitation Steps

Initial setup

We need to send a valid condition to break the query and perform SQL injection. We can do this using the string ' OR 1=1 -- -. In fact, as we can see from the last image in 🔍 Initial Analysis, the query follows this format: SELECT * FROM users WHERE name='aa' AND password='aa', so it retrieves all users from the users table whose username is aa and password is aa (the fields I previously entered to make the request). What happens if we send the previous string as both the username and password? The query becomes:SELECT * FROM users WHERE name='' OR 1=1 -- -' AND password='' OR 1=1 -- -'. This means: “retrieve all entries from the users table where the username is true condition (always passes) and the password is true condition (always passes).“Since both conditions are always true, it effectively finds a valid user and grants us access. The last part of the string, -- -, is used to comment out the last open quote. Since to perform the injection, we had to close the name field’s quote with another quote, closing it would result in three quotes instead of two. To avoid errors, we comment out the last one (in SQLite, -- denotes a comment). As we can see, the password part is also redundant, as everything after the first comment is ignored.

Exploitation

The exploitation was simply based on sending the previously mentioned string as the username and password, allowing access and retrieving the flag.

Flag capture

🛠️ Exploitation Process

Approach

The exploit performs the login using a POST request, passing the parameters username=' OR 1=1 -- -, password=' OR 1=1 -- -, and debug=0 to exploit the SQL Injection. Once executed, it accesses the login page, extracts the flag using a regex, and prints it.

•  Exploit

🚩 Flag Capture

Flag

picoCTF{L00k5_l1k3_y0u_solv3d_it_d3c660ac}

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit

💡 Key Learnings

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📊 Final Statistics

Created: 30-01-2025 • Last Modified: 30-01-2025 *Author: mH4ck3r0n3 • Team: *