The challenge is a site with SSL support for both mobile version and the computer one. There is a registration form where once you logged in you can set a device to attach and put on your “secret”. Obviously the target was to log in as admin or in somehow get his secret. The challenge provide an Andriod application (SecureSpaceAuth.apk). After installing it and testing a bit I managed to see what HTTP request it was doing by pointing the DNS of the site’s challenge site to my webserver. With a logger a saw two insteresting one:

https://spaceauth.tasks.ufoctf.ru/?act=attach2&username=&password=&device=

https://spaceauth.tasks.ufoctf.ru/?act=auth2&username=&key=&device=

The first one attache a new device given the username and the password and the second one complete the auth process. After testing a bit I got that device parameter where vulnerable by SQL injection and also the error report that its running within an update query. So basically with this SQL we can set us as admin:

https://spaceauth.tasks.ufoctf.ru/?act=attach2&username=kappa&password=kappa1&device=dvpro',admin=1;%23

But first we have to create the new device:

https://spaceauth.tasks.ufoctf.ru/?act=attach2&username=kappa&password=kappa&device=dvpro

and then authenticate us

https://spaceauth.tasks.ufoctf.ru/?act=auth2&username=kappa&key=39b7b&device=dvpro

The important thing to keep in mind is that we have to do all this stesp using a crafted UuserAgent simulating an Android system because this request will be accepted only from mobile device because this queries is coded by running under this circumstances.

Now just log in with your account and get the admin secret.

Razor4x