DEADFACE2022 Logo

Author(s):

  • syyntax

Category:

  • SQL

Points:

  • 35

File(s):

  • esu-202209211051.zip

Hint(s):

  • None

Let's Hash It Out

Challenge:

DEADFACE discussed what users they were going to target out of the database dump obtained. Look around on Ghost Town and submit the password hash of the user they are targeting.

Submit the flag as flag{hash}.

Use the database from Counting Heads.

Solution:

Based on the challenge description, we searched GhostTown for the term database target and found a thread titled, "Database question" where mirveal is asking if there is a specific ESU person they should be targeting. Other users in the thread respond that faculty should be the target, specifically the Administration department, and mirveal finds there is only one person that works in Administration:

Using the database we created during the Counting Heads challenge, and knowing of the 'roles' and 'roles_assigned' tables, we ran a query to retrieve one Administrator:

mysql> SELECT * FROM users WHERE user_id IN (SELECT user_id FROM roles_assigned WHERE role_id = (SELECT role_id FROM roles WHERE role_name LIKE "Administration"))\G

*************************** 1. row ***************************
 user_id: 1440
username: nikia.manderfield
   first: Nikia
    last: Manderfield
  middle: T
   email: nikia.manderfield@easternstateuniversity.com
  street: 4047 Liberty Route
    city: Brackenridge
state_id: 45
     zip: 15014
  gender: m
     dob: 1957-12-04

Unfortunately, there isn't a field in the 'users' table that stores their password, so we reviewed the other tables and found an obvious one named 'passwords':

mysql> DESCRIBE passwords;

Field	Type	Null	Key	Default	Extra
password_id	int	NO	PRI	NULL	auto_increment
password	varchar(256)	NO	UNI	NULL	
user_id	int	NO	UNI	NULL

We know the 'user_id' of the targeted user from our previous query, so querying the 'passwords' table reveals the hash needed to complete the flag:

mysql> SELECT * FROM passwords WHERE user_id = 1440\G
*************************** 1. row ***************************
password_id: 1440
   password: b487af41779cffb9572b982e1a0bf83f0eafbe05
    user_id: 1440

The accepted flag was: flag{b487af41779cffb9572b982e1a0bf83f0eafbe05}

Published:

Updated:

Leave a comment