# CTF CyberTalents — Inbox

#### CTF CyberTalents — Inbox <a href="#fdaa" id="fdaa"></a>

All right ! Welcome all to my writeup about CTF challenge by CyberTalents. Inbox.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*N64TDQ8AaCNcsUnO2uzNCg.png" alt=""><figcaption></figcaption></figure>

> At the first you can get it from here <https://cybertalents.com/challenges/web/inbox>

**Challenge info**

<figure><img src="https://cdn-images-1.medium.com/max/800/1*2UdBfZwYXdhswyjBOdsBtQ.png" alt=""><figcaption></figcaption></figure>

Let’s get started…

At the first open the link of the challenge you’ll get something like mail box which you can send, receive and read messages.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*xJIVXbC-D449fBLZwgVVCg.png" alt=""><figcaption></figcaption></figure>

At the normal we check the hidden directories by in this case i don’t think about it, it may have SQLi or another vulnerability, just check robots.txt and src.php and source.php but unfortunately you can’t get any data.

Check the cookies parameters by burp interception or by cookie editor plug-in

> You can install it in FireFox or Chroma

<figure><img src="https://cdn-images-1.medium.com/max/800/1*vUNcJex2o8vWd-e8LDmoNA.png" alt=""><figcaption></figcaption></figure>

Great we have a value here, try to decode it base64 but unfortunately you will not get any sensitive information also as you can see …

<figure><img src="https://cdn-images-1.medium.com/max/800/1*OG4jhxH87tPR4sNkZV36QA.png" alt=""><figcaption></figcaption></figure>

Now check the source code and you will notice something seems to be important in the end of the source code and i understand from it that it take the id of the user and depend on it’s value, it return 2 variables: the title and msg as you can see here

<figure><img src="https://cdn-images-1.medium.com/max/800/1*3P2rltDVDKmAL4Asx2bZeA.png" alt=""><figcaption></figcaption></figure>

Now we have information seems to be important, let’s try to get the request which transfer the id by POST method. Try to see any message by clicking on it and intercept this request by Burp and you’ll have something like this

<figure><img src="https://cdn-images-1.medium.com/max/800/1*C6kjJzh6FVJ3poCnxO8eyQ.png" alt=""><figcaption></figcaption></figure>

Great! this request has the id parameter on it, let us see it’s response …

<figure><img src="https://cdn-images-1.medium.com/max/800/1*Vz5SYRf7yDyFRJXf_FosCw.png" alt=""><figcaption></figcaption></figure>

So for now the process is the database receive the id from the user and depend on its value it show the message by its 2 variables msg and id.

Send it to repeater and let’s play with it …

The first thing i’ve think about it is SQL injection so in this case we will try to inject simple payload like this ( ‘ ) and see what will happen.

After we have checked that it has SQLi vulnerability, let’s try to determine the number of the columns… it’s 4 columns.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*YWkibgXaT8gYYkDb10jbRA.png" alt=""><figcaption></figcaption></figure>

> Great! CyberTalents use Sqlite as it’s sql database so if you don’t familiar with this type of database see this <https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md>

Great! now we’ll try to get the id from the title by inserting this payload

id=(select+id+from+sqlite+where+title=’Hola’) and you’ll get the following results.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*_22m64Z07zZzZoUagvvOzQ.png" alt=""><figcaption></figcaption></figure>

Now let’s try to get the id of the title flag, I’ve predict this title. It may be wrong or right .

<figure><img src="https://cdn-images-1.medium.com/max/800/1*IWLOGtV8sUtQ-06nksEV3Q.png" alt=""><figcaption></figcaption></figure>

All Right ! it’s correct prediction about the title and now we’ve the flag, Congrats Bro ❤