Challenge Overview

Theme: Prototype Auto Factory Goal: Access the "Prototype Lab" (admin area) to retrieve the flag.

Vulnerabilities Explained

1. SQL Injection (The Password Bypass)

The application uses an unsafe SQL query:

constquery=`SELECT id FROM users WHERE username = '${username}' AND password = '${password}'`;

Why SELECT 1 as id works: Normally, the query returns no rows if the password is wrong. By injecting ' UNION SELECT 1 as id;-- into the password field, the query becomes:

SELECT idFROM usersWHERE username='...'ANDpassword=''UNIONSELECT1as id;--'

1. The first part (before UNION) returns nothing (false).
2. The UNION operator combines results.
3. SELECT 1 as id creates a virtual row containing id: 1.
4. The - comments out the rest of the original query. The application sees a result { id: 1 } and logs you in!

2. Prototype Pollution / Logic Bug (The Admin Bypass)

After logging in, the code checks if you are an admin:

if (activeAdmins[username]) {
// grant flag
}

activeAdmins is a simple object {}. In JavaScript, even empty objects inherit properties from Object.prototype. One such property is the function toString.

• If you use the username toString, the check becomes if (activeAdmins["toString"]).
• Since activeAdmins.toString is a function, it is "truthy" (not undefined/null).
• The if condition passes, thinking you are an admin!

Solution Steps