Objective 6: Badge Manipulation
The Objective
![](/hh2018//assets/img/objectives/6/question.png)
Hints by Pepper Minstix
The Solution
I first downloaded the image to Alabaster’s Badge.
The hint was to get Alabaster’s badge, so I downloaded it from the provided link.
![](/hh2018/assets/img/objectives/6/1.png)
I think I need to decode his badge, then makfe my own qr code
First, I needed to decode the QR Code on Alabaster’s badge.
![](/hh2018/assets/img/objectives/6/2.png)
I see that the result is oRjg5uGHmbduj2m
I tried running oRjg5uGHmbduj2m
through some decoders and hash detectors, but it was being recognized. I was thinking it was some type of hash of the user’s name. So, I decided to try and run his card and see what message I get.
By putting in Alabaster’s card, I get “no valid user account”. This made me think that the system was checking the value against some database. So I attempted a simple SQL Injection.
I created a QR code that said:
test' or 1=1 limit 1#
The display says that there is a sytnax error. The error told me that:
- This is a Mariadb database, which is similar to MySQL
- That the select should be
SELECT FIRST_NAME, LAST_NAME, ENABLED FROM EMPLOYEES WHERE AUTHORIZED = 1 AND UID = '{?UserID?}' LIMIT 1;
The User ID is the string value of the QRC Code.
I therefore needed to create a SQL Injection that would return an Enabled user.
1}' or ENABLED=1 LIMIT 1; #
![](/hh2018/assets/img/objectives/6/3.png)
This also opened a door to Santa’s secret workshop.
ANSWER: 19880715
The Narrative
![](/hh2018//assets/img/narratives/narrative.4.png)