Web – cereal hacker 1

cereal hacker 1 - 450pt


Login as admin. https://2019shell1.picoctf.com/problem/49879/ or http://2019shell1.picoctf.com:49879


No hints


After a quick check on the code I tried to exploit the file parameter on the url, but with no result; after a lot of guessing we figured out one page name: admin
alt tag

It will be foundamental later. After a ton of guessing and a little hint from the official discord page of picoCTF we found that the credentials to log in as a regular user were: username=guest and password=guest
alt tag

The really intresting part in this page are the cookies, in fact there is a new cookie base64 encoded called user_info


After decoding it I found out that it was serialized code (Click [here]() if you want to know more about serialization in php)


So after a little bit of tries I tried with an sql injection in the password field ant it worked!!



Actual serialized message:

O:11:"permissions":2:{s:8:"username";s:5:"admin";s:8:"password";s:12:"a' or '1'='1";}6p

And after sending it as a cookie in the admin page, it returned the flag
alt tag


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *