# Empire1

## Problem

> Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. <https://2019shell1.picoctf.com/problem/27357/> (link) Can you first find the secret code they assigned to you? or <http://2019shell1.picoctf.com:27357>

* [Website](https://2019shell1.picoctf.com/problem/27357/)

## Solution

1. Create an account and sign in
2. Attempt to add a todo of `{{config}}` (since this is a flask application and that would leak important configuration details about the application)
3. Most likely the add todo is using an `INSERT` SQL statement so try concat: `string'||'concated?'||'`. It works!
4. Run `'||(select secret from user)||'` but only gets one secret
5. So use a group\_concat to get all secrets: `' || (select group_concat(secret) from user) || '`

### Flag

`picoCTF{wh00t_it_a_sql_inject9899be1a}`