.png)
4 months ago
28 BOOK THIS SPACE FOR AD
ARTICLE AD
Although it says moderate, it is definitely not moderate!
No. of Flags to Find : 3 | Skills Required : Web
Editing/adding page requires user to be an adminpage — 3 : 403Cannot seem to find anything else unless logged in.1. curl — Something That I didn’t Expect
So based on our basic observations, running a directory enumeration(gobuster), we find few things.
Editing page requires to BE an admin, not to be THE admin.I made a curl request with -X (--request <method>) to one of the available pages to public user, and call it luck, or anything, a flag was revealed at the bottom. Don't forget to use -v.
It has something to do with API call, which I don’t know much about yet, but if you’d like to, you can learn as well, because I AM, from Corey J. Ball’s book — Hacking APIs.
2. Boolean-Based Blind-Manual SQL Injection
Manual because it’s not automated. We try and inject the username parameter with a but more complicated UNION query, as suggested in the hints.
This is the one where user needs to BE one of the admins, not THE admin!
Which, in any way, is not at all nice! To make things easy, here’s the final query, injected in username parameter:
admin' UNION SELECT 'abc' AS password FROM admins WHERE '1'='1and enter the value abc in password parameter.
Once you inject this payload, you are logged in, you get access to the 403 page, you get the flag!
But if you look at the response in the repeater for this request we made, you’ll see it hints that, being logged in is ok, but finding real credentials is important too!
In a way, it’s true, isn’t it!? Credentials are key to more smoother hacking!
3. The final — Grabbing Creds using Sqlmap or Hydra
After lots and lots of looking around the internet, I found out that you can also use your intercepted login request in sqlmap for easier SQL Injection. Just takes more time that it should.
Oh, and before we start, it is going to be different for each user, as well as every time you restart the CTF
Well that was far more research oriented that practical. I just read some articles regarding the challenge where one of them suggested, if you remember the previous one, they took first names as usernames and passwords. No harm checking those out quickly, it's going to be automated anyways! Found a very common/uncommon names list on internet.
Ran hydra for brute-forcing. First checked for usernames, because the correct username gave different response to incorrect password. Found it!
Now use the correct username, and this time, change the failure response and run hydra again on the same first name list. Check the output showed and you are slapped with flag in the face!
This can also be done using Sqlmap, but in my case, it was not as fast as hydra.
To proceed with sqlmap, intercept the login request with any credentials, then save that request in a file as .txt. It is one of the right-click options.
after that, run this command:
sudo sqlmap -r <saved-file>.txt --level=2 --dump-all --proxy="127.0.0.1:8080"--level : is just in case the scan requires a higher level.... "scan"! 😅--dump-all : to dump everything, all databases and tables--proxy : to mention your burp proxy. It's required, it won't connect to URL unless this is stated. Given is mine, you have to put according to what you have set-up.Next comes the infernal test of patience for an eternity, and if successful in your case, it will give the results as well! The actual admin username and it’s password!
I know mine took like… FOREVER to do this! I tried the hydra later.
Moving on to the Next CTF >> L3 : L3 — Encrypted Pastebin.
Bengali (Bangladesh) · 
English (United States) ·