Solutions for BlackHat MEA challenges
Warm me up
Visiting home page displays a link to login page.
Also, upon visiting homepage, a Cookie named session is returned in headers. Base64 decoding first part before dot (.) shows an OTP. This OTP was later tried in OTP field.
Visiting Login page displays a form to enter Username, Password and OTP.
Using single quote in username parameters gives error while using double quotes gives no error.
Using ' or 1=1-- - or admin'-- - doesnot login.
Using ' order by 2-- - gives no error while ' order by 3-- - gives error indicating that backend SQL query i using 2 rows.
Using username as ' UNION SELECT 'admin','admin'-- - with any password with OTP got from session cookie successfully logs us in and provides new session cookie.
Using received session cookie shows up the flag.
