EPFL's CTF team

Hackover CTF 2018: who knows john dows?


Howdy mate! Just login and hand out the flag, aye! You can find on h18johndoe has all you need!




The first link points to a Ruby script in a GitHub repository that seems to handle logins for the challenge website. The script is vulnerable to SQL injection.

def login(identification, password)
    hashed_input_password = hash(password)
    query = "select id, phone, email from users where email = '#{identification}' and password_digest = '#{hashed_input_password}' limit 1"
    puts "SQL executing: '#{query}'"
    @database[query].first if user_exists?(identification)

def hash(password)

However the challenge website first asks us to provide a valid username or e-mail and SQL injection doesn’t work here. It seems that we need to find a valid username or email somewhere.

Since the script is stored in a git repository we decided to have a look at the commit history.

$ git shortlog -sne
     1  John Doe <angelo_muh@yahoo.org>
     1  John Doe <jamez@hemail.com>
     1  John Doe <john_doe@gmail.com>
     1  John Doe <john_doe@notes.h18>

john_doe@notes.h18 is a valid e-mail for the challenge site. After entering that we’re directed to a password field which is vulnerable to SQLi.

By using 1' = '1' RO ' as our password (reversed because hash() reverses the password) we can get the flag.

Flag: hackover18{I_KN0W_H4W_70_STALK_2018}