The cyber security and quality assurance teams have teamed up to try and eliminate weak passwords from our user database. They have tasked you with figuring out who has a password in the user database from the provided password_list.txt list. User data will be posted into your teams MySQL server; utilize the following instructions to start receiving data:
CREATE DATABASE IF NOT EXISTS inject_password_dump; CREATE USER 'qa_team'@'%' IDENTIFIED BY 'myQAPassw0rdInj3ct'; GRANT ALL PRIVILEGES ON inject_password_dump.* TO 'qa_team'@'%'; USE inject_password_dump; CREATE TABLE IF NOT EXISTS users (username VARCHAR(255), password_hash TINYTEXT, UNIQUE(username));
User passwords are hashed with the SHA1 algorithm when posted to the database. You must figure out a way to associate these values with the provided passwords. We follow a standard username convention: ${LAST_NAME}${FIRST_INITIAL} (Example: John Doe would be doej). The provided names will need to be converted to following the standard username convention. It appears we have had some erroneous data making its way into our systems. Ensure all submitted users are present in the user_names.txt file. Failure to validate this data may slow down remediation efforts.
Files: Submit your findings to https://inject.ncaecybergames.org/ and ensure you are following the provided example below:
{
"username": {
"firstname": "first",
"lastname": "last",
"password": "password"
},
"doej": { // This should be your generated value from the name provided
"firstname": "John",
"lastname": "Doe",
"password": "12345" // This should be the password you discovered
}
}