 Hello everybody, welcome back to another YouTube video again showing off the Kaizen CTF and a couple of challenges that were on that over the weekend I want to show off now the search leak challenge, which was supposedly a coding challenge We didn't seem like there was a too much of it there. We ended up taking a hint on this one, which honestly we shouldn't have Looking back. It was really easy to like I was able to visibly see this was a regular expressions attack Or at least it was using regular expressions and I should have just tried to use something to match all rather than just specifically trying Okay, regardless. Here's the challenge prompt It's some hacktivists are running around the web hacking small databases and posting the data on the website They think they're white hats because they only show the user's name and not the rest of the PII find the flag in the database So we go check this out. It's still up. Hopefully. Okay, awesome. And All we have is this Textbox input and we can it says like try searching for a name like Chris So I try Chris and I get some stuff. I don't see even tried like sequel injection initially You can see a bunch of my old requests were to see if there were any sequel injection stuff in there And there is not So immediately I look okay. This isn't sequel injection. That's going through so I Was curious what other stuff I can do with it So I look for other names like John and none of them were in there I just wanted to try an empty search string and or like some of those and that didn't particularly work for us. So we all tried other other interesting characters like I went with exclamation points and I tried to send in like hex encoded stuff, but it seemed like that was interpreted I tried a star and that got me a hmm Your search is malformed and that was kind of curious. So I started trying other things like a dot and that seemed to get everything which I thought was initially strange. I even tried like a walk a symbol Which was initially very strange because it got everything but star David worked but like Carrot avid it didn't work So I was like, okay This looks like very clearly a regular expression because I can use an carrot which means the start of regular expressions And anything that starts with it what I didn't try which I should have was that dot for anything in regular expressions with the Greedy asterisk to mean match everything repeated and that is what will end up getting you your flag Because it is a regular expressions and that dot star will match everything in regular expressions So You can do a little bit of research on regular expressions if you haven't heard of them before I think I have some videos on the series, but it does match. It's a pattern matching Sequence or a language kind of thing or But it's awesome for one thing I use them repeatedly almost always for what I'm just trying to cut up data and code and stuff like that But in this case, I didn't realize I thought I realized because that that Carrot was strange for me that it would return everything, but I didn't think to try I even tried a dot, but I didn't think to try I didn't think to try dot star Which was honestly disappointing for me because I should have known that it was regex Or at least I should have tried that without taking the hint But we did end up getting it during the competition and it was originally a hundred points Only the hint dropped it down to 80 But that is the flag and the way you would achieve that was that dot star regular expression. So cool Thanks for watching guys simple challenge just took a little bit of poking at it and realizing that it was regular Expressions and being able to take advantage of that. So thanks for watching. Hope to see you in a later video