CyberTalents CTF: Who is Admin
Project information
- Title: Who is Admin CTF
- Organizer: CyberTalents
- Project date: June, 2023
- URL: www.cybertalents.com
According to the instructions provided, the flag is expected to be the email address linked to the admin account.
While browsing the page filled with numerous photos and embedded links, I couldn't help but notice an intriguing detail in the URL when I clicked on the second article.
After stumbling upon the display of a URL variable, I am compelled to investigate the possibility of SQL injection by examining the susceptibility of web parameter tampering. Naturally, the most effective method to evaluate this is by employing a single quote ('), which serves as a common indicator. Let's observe the following outcome:
Upon examining the provided URL submission, which reads http://wcamxwl32pue3e6mk873oykcwzy04gvmewrwul3d-web.cybertalentslabs.com/shownews.php?id=2, I receive an error message stating "Error: HY000 1 unrecognized token: ' '". Although this error message doesn't divulge extensive information about the underlying SQL database, it strongly suggests the potential for SQL injection and indicates insufficient sanitization of inputs.
Consequently, my next course of action is to proceed with testing the vulnerability using SQLMAP. As a precautionary measure, I typically initiate SQLMAP with the default risk and level settings, primarily to obtain a quick initial assessment of its viability. If the initial attempt fails, I might consider raising the level, but based on my experience, SQLMAP tends to identify vulnerabilities susceptible to SQL injection within the first few seconds at default levels. Following the execution of SQLMAP, the resulting output is as follows:
Given the circumstances where the injectable variable functions as a web parameter, there is no necessity to specify the "--data='id='" switch since the variable is passed via the URL rather than the request body. Similarly, the "--method=GET" switch is not required as SQLMAP automatically defaults to it in this context.
The observed output indicates a potential injectability during a basic test, followed by initial misidentification of the database type as H2, which is subsequently corrected. Notably, SQLMAP accurately identifies the existence of five columns and determines that the backend operates on the SQLite database. The subsequent output showcases the informative findings obtained through SQLMAP analysis.
