📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	PicoGym	Event Link
🔰 Category	Web	🌐
💎 Points	500	Out of 500 total
⭐ Difficulty	🟡 Medium	Personal Rating: 1/10
👤 Author	Xingyang Pan	Profile
🎮 Solves (At the time of flag submission)	14.877	solve rate
📅 Date	22-02-2025	PicoGym
🦾 Solved By	mH4ck3r0n3	Team:

📝 Challenge Information

There is a website running at https://jupiter.challenges.picoctf.org/problem/64649/ (link). Someone has bypassed the login before, and now it’s being strengthened. Try to see if you can still login! or http://jupiter.challenges.picoctf.org:64649

🎯 Challenge Files & Infrastructure

Provided Files

1	Files: None

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

This is version 2 of the challenge Irish-Name-Repo 1, so let’s see what’s changed (I remember that in that write-up we found the admin username on the Support page). Trying the injection that worked in the previous version of the challenge (' OR 1=1 --):

I get SQLi Detected., so a filter has been added for SQL injections. Since this is a blackbox challenge (without attached files), I need to manually figure out what kind of filter has been added by testing a couple of payloads. The first one I would try is username=':

Sending it, as we can see, I get an Internal Server Error, caused by the incorrect query syntax. Now I know that ' is not blocked, but OR is probably blocked (and after trying UNION, I discovered that it was also blocked). Let’s move on to the exploitation phase.

PS: Arriving at the third challenge in this series, I discovered that there is a parameter in the form debug=0, which, if set to 1, allows you to see the query… So, always remember to inspect the page source.

🔬 Vulnerability Analysis

Potential Vulnerabilities

• SQL Injection

🎯 Solution Path

Exploitation Steps

Initial setup

As previously mentioned, we need to access with the username admin, so the other injection I tried was ' -- to check if comments were also blocked:

As we can see, the comments are not blocked, and we only get a Login Failed. message. We can exploit this to our advantage since we know the user we want to access with: admin.

Exploitation

In fact, since the query will most likely be in the form:

1	SELECT * FROM users WHERE username='' AND password=''

by inserting username=admin' -- and password=, we will specify the user we want to access, and the rest of the query will be commented out:

1	SELECT * FROM users WHERE username='admin'-- ' AND password=''

By doing this, since there is an admin user in the database, it will return True and we will be able to access the page where the flag is contained.

Flag capture

🛠️ Exploitation Process

Approach

The automatic exploit sends a simple POST with the payload used in the manual exploitation phase, which is username=admin' -- and password=, then extracts the flag from the response using a regex.

•  Exploit

🚩 Flag Capture

Flag

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit

💡 Key Learnings

Time Optimization

• When a filter is added for OR, UNION, etc., always try injecting in the username field with username'-- because the filter might not be applied to comments.

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📚 References & Resources

[!info]+ Additional Information

Similar Challenges

• Irish-Name-Repo 1

Learning Resources

• https://www.w3schools.com/sql/sql_injection.asp

📊 Final Statistics

Created: 22-02-2025 • Last Modified: 22-02-2025 *Author: mH4ck3r0n3 • Team: *