Rating:
Hackover CTF 2018: who knows john dows?
=======================================
## Description
Howdy mate! Just login and hand out the flag, aye! You can find on [h18johndoe](
https://github.com/h18johndoe/user_repository/blob/master/user_repo.rb) has all
you need!
http://yo-know-john-dow.ctf.hackover.de:4567/login
alternative: http://46.101.157.142:4567/login
## Solution
[The first link](https://github.com/h18johndoe/user_repository/blob/master/user_repo.rb)
points to a Ruby script in a GitHub repository that seems to handle logins
for the challenge website. The script is vulnerable to SQL injection.
```rb
def login(identification, password)
hashed_input_password = hash(password)
query = "select id, phone, email from users where email = '#{identification}' and password_digest = '#{hashed_input_password}' limit 1"
puts "SQL executing: '#{query}'"
@database[query].first if user_exists?(identification)
end
def hash(password)
password.reverse
end
```
However the challenge website first asks us to provide a valid username or e-mail
and SQL injection doesn't work here. It seems that we need to find a valid
username or email somewhere.
Since the script is stored in a git repository we decided to have a look at the
commit history.
```
$ git shortlog -sne
1 John Doe <[email protected]>
1 John Doe <[email protected]>
1 John Doe <[email protected]>
1 John Doe <[email protected]>
```
`[email protected]` is a valid e-mail for the challenge site. After entering
that we're directed to a password field which is vulnerable to SQLi.
By using `1' = '1' RO '` as our password (reversed because `hash()` reverses the
password) we can get the flag.
Flag: `hackover18{I_KN0W_H4W_70_STALK_2018}`