$50M references Hackerone paying out that amount in total over all time or something. The bounty for this CTF was $10k.

Yeah, definitely needs title change

Even “M” is confusing, where financial millions are often (usually?) MM (thousand thousands, where M == Roman 1000).

> First recon step here is to run a port scan to discover if there is any service. As a result I got port 80

Overkill much? :)

> There is only one user ("admin", "5f4dcc3b5aa765d61d8327deb882cf99"). Is that a hash? Googled it and found the answer, yes it is: md5('password'). Now we are able to log in using admin:password or even using the sqli

Stuff like this makes me think the author accidentally went into this stuff in reverse order. The username/password combo seems almost expected to be manually bruteforceable.

Also, the whole blind-querying of strings using sleep() is awesome. Is that a common technique or did the author make it up on the spot?

Blind-querying is a common technique and is even tested by tools such as SQLMap (https://github.com/sqlmapproject/sqlmap/wiki/Usage#sql-injec...).

You have full details on what these requests look like here: https://www.owasp.org/index.php/Blind_SQL_Injection

Using sleep() is a common technique, recommended specifically to let you query data even when you aren't given output from the database. As long as you can produce an effect that you can detect, you can extract information.

Figures :) TIL! Really cool seeing it in action.

Using sleep is pretty common, as it lets you "side channel" information out of a blind SQL injection.

Great writeup. Impressive to be able to find and be able to jump through so manu hoops.

Every time I see one of there I reflect on the fact that if a person is prepared to do all this work for either lulz or some kUSD, imagine what efforts people might be prepared to do to gain 1-10-100 MUSD.

It's why we say in high-assurance security to address each root cause as they're understood and mitigated. Then, build that into your languages, analyzers, etc. Ada and Rust do that for lots of code injection opportunities. For web apps, even PHP has Airship CMS to reduce risks. Jif/Sif languages track information flows to block leaks. Several OS's do secure-by-default configurations. And so on and so forth.

We know these attackers may expend a lot of effort. They also have more education, tooling, and labor out there than at any time before. Might as well use technology that makes blocking them something we don't even think about vs a cat and mouse game where we must consider every detail for even common operations or apps.

At the same time, SQL injection was heavily leveraged for initial read/writes, and that's a problem which was solved decades ago. That it still exists in places today is almost mind-boggling.

I'm always amazed about how one person can have so many ideas to break a system from which you know nothing.

A solid methodology is key.

Sooo i see 50M but it is probably just click bait as the are celebrating 50M payed out in general?

The writeup is okay thou.

Nice write-up!