CTFtime.org / Syskron Security CTF 2020 / Leak audit / Writeup

#### Original Writeup - [https://github.com/CTSecUK/Syskron-Security-CTF-2020/blob/main/Write-ups/Leak%20Audit.md](https://github.com/CTSecUK/Syskron-Security-CTF-2020/blob/main/Write-ups/Leak%20Audit.md)

-----

![Category](http://img.shields.io/badge/Category-Tuesday-orange?style=for-the-badge) ![Points](http://img.shields.io/badge/Points-200-brightgreen?style=for-the-badge)

![tag-forensics](https://img.shields.io/badge/Tag-sql-blue?style=plastic)

## Details

![Details](https://github.com/CTSecUK/Syskron-Security-CTF-2020/raw/main/Write-ups/images/leak_audit_details.png)

After downloading and extracting the file we see a .db extension, running the file command on it confirms it's a SQLLite Database.

```
>$ file BB-inDu57rY-P0W3R-L34k3r2.db
BB-inDu57rY-P0W3R-L34k3r2.db: SQLite 3.x database, last written using SQLite version 3033000
```

I'm much more comfortable with MySQL so i head to the website [RebaseData.com](https://www.rebasedata.com/convert-sqlite-to-mysql-online) to convert it.

![Screenshot](https://github.com/CTSecUK/Syskron-Security-CTF-2020/raw/main/Write-ups/images/leak_audit_screenshot.png)

I download the converted file, move it from my Downloads folder and unzip it.

```
>$ mv ~/Downloads/result.zip .
>$ unzip result.zip
Archive: result.zip
inflating: data.sql
```

Next we need to create a blank MySQL databse to write the dumped database into;

```sql
>$ sudo mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.5.5-MariaDB Arch Linux

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE leak_audit;
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> exit
Bye
```

Back at eth command prompt we can import the database like below;

```
>$ sudo mysql -p leak_audit < data.sql
Enter password:
```

Now we head back into mysql client and select the database;

```sql
>$ sudo mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 10.5.5-MariaDB Arch Linux

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use leak_audit;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
```
OK, Next Lets have a look at what tables are in the database;

That's nice and simple and we're only interested in the "personal" table, so lets try outputing a few rows to see what the data looks like;

```sql
MariaDB [leak_audit]> select count(number) from personal;
+---------------+
| count(number) |
+---------------+
| 376 |
+---------------+
1 row in set (0.000 sec)
```
So now we have the first part of our flag, next we need look for "**duplicate passwords**". We can do this with the below SQL query;

```sql
MariaDB [leak_audit]> SELECT password, COUNT(password) FROM personal GROUP BY password HAVING COUNT(password) > 1;
+------------+-----------------+
| password | COUNT(password) |
+------------+-----------------+
| mah6geiVoo | 2 |
+------------+-----------------+
1 row in set (0.001 sec)
```
The final piece of information we need to look for is "**passwords protected with bcrypt**".

I happen to know that BCrypt hashes start with ` $2a$` or `$2b$` but if you didn't know this then a quick check on google will easily reveal this information;

[https://en.wikipedia.org/wiki/Bcrypt](https://en.wikipedia.org/wiki/Bcrypt)

Putting all the information tother we get a flag of;

***syskronCTF{376_mah6geiVoo_21}***

Original writeup (https://github.com/CTSecUK).

Leak audit

Comments

Sign in with