 Hey YouTube, John Hammond, Pico CTF 2018. This challenge is called the vault for 250 points in the web exploitation category. It says there's a website running at this location and here's a link, try and see if you can log in. So we can view the website, it has a simple login page and it actually gives us some source code so we can check that out. Looks like it is running PHP, displaying errors and error reporting is on, includes the configuration file and some database that it's trying to open up. It actually reads in our username and password, also a debug variable that we can specify. And then it actually tries to use a query with select one from users, where name is equal to something and password is equal to blah, blah, blah. Okay, so we have potential SQL injection, right? Like it's just concatenating in or at least placing in our variables. It's actually not doing anything to sanitize them in the query. However, when it's displaying them with the debug value, it will actually just go ahead and display the special characters with it. So it tries to de, like HTML, entitize it as necessary. So we won't particularly need this because I think we're smart enough to know, well, we know our SQL injection vulnerability, let's totally take advantage of it. They do something interesting here though, because they'd have a validation check. They try and use some regular expressions to determine if we're using an or syntax. So like we're used to a SQL injection where or one equals one, looks like they'll test if we actually see that, if we see that pattern at all in the username or interestingly enough, the password match is still running in the username field. So we could determine, well, password is gonna be equal to, we can actually inject in there, but we can't have the username, peculiar thing. And if the user match and password match is not equal to one, if it actually returns some location in the PREG match, it will determine we detected SQL injection. So peculiar, interesting note though, that it's not testing it in the password. So let's go ahead and see what we can do. We would try a regular SQL injection or one equals one, comment, comment, and SQL detected. But let's change this. We could say anything for our username and try or one equals one in the password, we log in. That works just fine for us. Another interesting thing is just selecting anything from let's say probably the users, right? We know there's very likely going to be a admin user. So if we just had that username and then commented out the rest of the query, we could log in just like that. So I don't know if it actually has anything not in there. Okay, so no, we have to have an admin account. It was worth trying, it was worth figuring out, but those are the two easy ways to win that I saw. You can use the or syntax in the password field because it's not testing that or you could use it in the username, just go ahead and use the admin and query or comment out the rest of the query. So now that we have the flag, we can go ahead and submit, but let's write a simple get flag script for this. It looks like it's just pasting this, I'm sorry, wow, posting this to login.php. So let's go ahead and make a little curl thing for that. Not too hard, right? We can use curl this location. Let's say tack, tack data username can equal, let's say admin hyphen hyphen and it gives us the flag just like that. So grep tack oe, wow, caps lock, what are you doing? Not welcome here, get out of my house. Color equals none and make curl silent, great. There is our simple one-liner, awesome get flag script, just encapsulating our answers, that's all. Save it to flag.text, throw in our clipboard and we can submit it. The next challenge is called what's my name for 250 points and it's in the forensics category. It says same my name, same my name and we can download this file. So I've actually got this already moving, got it downloaded already and it is a pcap file. So if I go into what's my name, we have myname.pcap which is a TCP capture file. We can open this thing up in Wireshark and explore it just like you would with any actual pcap but there's a lot in here and it's doing some DNS stuff I'm assuming that's probably why it's trying to get a hold of the what's my name thing and the name server of an IP address or whatever the case may be. I didn't care to look through this because all I did was a simple, please let me out of Wireshark, dude. Let me out of Wireshark, what are you doing? All right, fine. I just ran strings on this, right? Pretty easy and usual technique, usual little weapon that we go for here, look for our flag format, carve it out and if we find it, we win. So just like that, not a hard challenge, just kind of knowing let's go for the quick cut corners thing. Make a simple get flag script for that, flag.text and XClip, go ahead and submit and we're cruising. Before I go, quick shout out to the people that support me on Patreon, thank you guys so much. You're the best, that's it, you're just the best. There is no one better, each and every one of you is simultaneously the best person. I guess, I don't know, I guess I don't really know how that could make sense, but whatever, you're just all the best. $1 a month on Patreon will give you a special shout out just like this at the end of every video. $5 or more on Patreon will give you early access to everything that are released on YouTube before it goes live. If you did like this video, please do like, comment and subscribe. Join our Discord server, link in the description, is a cool community full of CTF players, programmers and hackers. You can hang out with me and a ton of other awesome people that are way smarter than me. We're gonna be tackling a lot of capture the flag of the competitions that are coming up. Practicing on war games, just sharpen our skill, talking about the scene, it's awesome, so please do come hang out. All right, thanks for watching guys. Hope to see you on Patreon. Hope to see you in the next video. Love ya, bye.