Tags: web 


# Evlz CTF 2019 – WeTheUsers

* **Category:** Web
* **Points:** 100

## Challenge

> [](
> [https://pastebin.com/VWmk2Jdy](https://pastebin.com/VWmk2Jdy)

## Solution

The [source code](https://raw.githubusercontent.com/m3ssap0/CTF-Writeups/master/Evlz%20CTF%202019/WeTheUsers/source.py) of the application is given for this challenge.

Analyzing it, you can discover that during user registration data is packed with a format like `username:password:admin`.

The `admin` field can be `true` or `false` and during the normal registration process a `false` value is forced into the ACL.

There are no escaping countermeasures for `:` char, hence a record could be crafted and injected passing a password with that char, in order to bypass the `false` value forced, creating an admin account.

For example, you can use following values during registration:
* username: `m3ssap0`
* password: `pwnd:true`

Logging in with the created user will show the flag:


Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/Evlz%20CTF%202019/WeTheUsers/README.md).