MMA CTF 2nd 2016: Get the admin password! (Web) Write-up

Descriptions:

Get the admin password!
http://gap.chal.ctf.westerns.tokyo/

You can use test:test

Solution: 

1. Try to inject in user/password field such as SQL Injection it not show more information.

2. Fuzzing via BurpSuite Pro with Simple list: Fuzzing - SQL Injection by user=admin&password=[Fuzz]. and get some different length.

3. Using Google to search with keyword that we have and found the backend database is MongoDB

4. Try MongoDB Injection with user=admin&password[$ne]=1, and successfull to login as admin!

5. This challenge need a admin password, I try regex operator to guess a admin's password like user=admin&password[$regex]=^TWCTF{[Fuzz]

6. Set payload type Brute forcer with characte set in $ python -c "import string; print string.printable".

7. Set option Grep - Extract because if character is valid will return HTTP status code 302 Found to redirect to index page.

8. Start attack and found 1st character is "w" :)

9. Fuzzing to find another character of admin's password.

Flag: TWCTF{wasshoi!summer_festival!}