Problem

There is a secure website running at https://2019shell1.picoctf.com/problem/32237/ (link) or http://2019shell1.picoctf.com:32237. Try to see if you can login as admin!

• Website

Solution

1. There is a hidden form field named debug. Set it to 1.

2. Sign in as password: abcdefghijklmnopqrstuvwxyz

3. Decode caesar cipher that is shown: nopqrstuvwxyzabcdefghijklm with https://cryptii.com/pipes/caesar-cipher to find 13 is the offset

4. Encode ' or '1'='1 with offset 13 with same website to get ' be '1'='1

5. Paste ' be '1'='1 into password to get flag

Flag

picoCTF{3v3n_m0r3_SQL_5c27c4ea}