Critical Admin Account Compromise via SQL Injection and Unsalted MD5 Hashing

A chained vulnerability exploiting an SQL injection and unsalted MD5 hashing allowed attackers to compromise an administrator account. The attack targeted a Node.js application accessible via http://localhost:3000, using a vulnerable endpoint to extract the user table, including MD5 password hashes. The admin account (admin@oss.com) used a raw MD5 hash (21232f297a57a5a743894a0e4a801fc3), which was cracked within milliseconds using rainbow tables or tools like CrackStation. The recovered password (admin) enabled successful authentication, granting access to the admin panel and the flag OSS{w34k_md5_h4sh1ng}. The vulnerable code used crypto.createHash("md5") without salting, combined with an unpatched SQL injection flaw.