https://s3-us-west-2.amazonaws.com/secure.notion-static.com/7d612d00-00cf-4da2-9795-f0ec54705a68/Untitled.png

Solution

  1. Figure out the encryption.

    The encryption the challenge is talking about is to base64 encode any input that is typed into the username and password fields.

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f8a28065-1327-4d09-870b-d21709e04ff2/Untitled.png

    For example, sending in "admin" as the username and password results in this:

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/c4bda5de-c9be-4f12-8487-8e57a3868ddc/Untitled.png

  2. Bypass the encryption.

    A way to bypass this is by editing the POST request rather than typing in the values into the text fields.

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/9fd64b98-0524-4df0-9e31-3af2c09546a6/Untitled.png

    By doing so, the query would be sent without the base64 encoding, as shown below.

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/62f1fed5-9741-4539-aa53-e658ef9515ab/Untitled.png

  3. Perform SQL injection.

    Based on the index.js file, it seems that the username must be "admin". Thus, I placed the tautology in the password field instead.

    The following input can be used for the password field:

    password' OR 1=1--

    Yes, it is similar to the web/orm-bad challenge, just that we are now injecting the password field.

    Query that the database receives:

    SELECT id FROM users WHERE username = 'admin' AND password = 'password' OR 1=1--

    Using the Edit and Resend capability in the Firefox browser, the POST request would look something like this:

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4954697e-e0d6-40b0-98f3-c4273a093841/Untitled.png

    With these parameters, we can get the flag.

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/2a00fc38-9e84-4c58-aed4-5382eb160202/Untitled.png

Flag: flag{50m37h1n6_50m37h1n6_cl13n7_n07_600d}