Skip to main content

Extracting hashes

Why bother to guess or retrieve the master key when we already know the endpoint it is calling?

Moreover, the binary does not seem to decrypt using the masterkey. Instead, it simply displays the content of the response from the API. We should call the endpoint directly!

http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords

Response#

A seemingly weird AES key is provided to us.

AES key

SQL injection#

This seems like the password manager Juliette mentioned about. Pretty basic.

Additionally, it seems to be self-coded and probably prone to vulnerabilities.

Fiddling with the parameters, it is actually vulnerable to SQL Union based injection to leak the admin password hash.

SQLi

Decrypting using the AES key#

From the gathered information, we can decrypt the key

Password hash

Login as admin#

With this, we can login as admin and obtain root.txt.