Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/27357/ (link) Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:27357


  1. Create an account and sign in

  2. Attempt to add a todo of {{config}} (since this is a flask application and that would leak important configuration details about the application)

  3. Most likely the add todo is using an INSERT SQL statement so try concat: string'||'concated?'||'. It works!

  4. Run '||(select secret from user)||' but only gets one secret

  5. So use a group_concat to get all secrets: ' || (select group_concat(secret) from user) || '



Last updated