🔐
EAkl Blog
  • 👋Welcome!
  • 🐛Web Application Findings
    • Cisco BroadWorks Vulnerabilities CVE-2021–34785 & CVE-2021–34786
    • Authentication bypass using empty parameters.
    • IDOR at Login function leads to leak user’s PII data
  • ℹ️Recon automation, tips and tricks
    • Simple Recon Methodology
    • How to write a simple script to automate finding bugs
  • 🔐Hack The Box Machines
    • Feline Walkthrough
    • Reel2 Walkthrough
    • Active Walkthrough
    • PopCorn Walkthrough
    • Jewel Walkthrough
    • Passage Walkthrough
    • Time Walkthrough
    • Devel Walkthrough
    • Lame Walkthrough
    • Beep Walkthrough
    • Blue Walkthrough
    • Jerry Walkthrough
    • Optimum Walkthrough
    • Grandpa Walkthrough
    • Legacy Walkthrough
    • Mirai Walkthrough
    • Valentine Walkthrough
    • Shocker Walkthrough
    • Netmon Walkthrough
    • Bank Walkthrough
    • Granny Walkthrough
    • Tabby Walkthrough
    • Access Walkthrough
    • Swagshop Walkthrough
    • OpenAdmin Walkthrough
    • Remote Walkthrough
    • Sauna Walkthrough
    • FriendZone Walkthrough
    • Hack The Box — Networked
    • Hack The Box — Forest
    • Hack The Box — WriteUP
    • Hack The Box — Academy
    • Hack The Box — Luanne
  • 🏴‍☠️CTF Challenges
    • CTF CyberTalents  — Bypass the world Writeup
    • CTF CyberTalents — Admin Gate First
    • CTF CyberTalents — Inbox
    • CTFlearn — Inj3ction Time
    • CTF ringzer0ctf — Challenge Access List
    • CTF ringzer0ctf — Login portal 2
    • CTF ringzer0ctf — SQLi challenges — part 1
    • CTF ringZer0ctf — Login form
  • 🔴Red Teaming Tips & Tricks
    • MOTW Defensive and Bypass techniques
  • ☁️Cloud Security
    • [Azure] Real Example to know different types of app concepts in Azure
    • [Azure] What To Do If?
Powered by GitBook
On this page
  1. CTF Challenges

CTF CyberTalents — Inbox

PreviousCTF CyberTalents — Admin Gate FirstNextCTFlearn — Inj3ction Time

Last updated 2 years ago

CTF CyberTalents — Inbox

All right ! Welcome all to my writeup about CTF challenge by CyberTalents. Inbox.

Challenge info

Let’s get started…

At the first open the link of the challenge you’ll get something like mail box which you can send, receive and read messages.

At the normal we check the hidden directories by in this case i don’t think about it, it may have SQLi or another vulnerability, just check robots.txt and src.php and source.php but unfortunately you can’t get any data.

Check the cookies parameters by burp interception or by cookie editor plug-in

You can install it in FireFox or Chroma

Great we have a value here, try to decode it base64 but unfortunately you will not get any sensitive information also as you can see …

Now check the source code and you will notice something seems to be important in the end of the source code and i understand from it that it take the id of the user and depend on it’s value, it return 2 variables: the title and msg as you can see here

Now we have information seems to be important, let’s try to get the request which transfer the id by POST method. Try to see any message by clicking on it and intercept this request by Burp and you’ll have something like this

Great! this request has the id parameter on it, let us see it’s response …

So for now the process is the database receive the id from the user and depend on its value it show the message by its 2 variables msg and id.

Send it to repeater and let’s play with it …

The first thing i’ve think about it is SQL injection so in this case we will try to inject simple payload like this ( ‘ ) and see what will happen.

After we have checked that it has SQLi vulnerability, let’s try to determine the number of the columns… it’s 4 columns.

Great! now we’ll try to get the id from the title by inserting this payload

id=(select+id+from+sqlite+where+title=’Hola’) and you’ll get the following results.

Now let’s try to get the id of the title flag, I’ve predict this title. It may be wrong or right .

All Right ! it’s correct prediction about the title and now we’ve the flag, Congrats Bro ❤

At the first you can get it from here

Great! CyberTalents use Sqlite as it’s sql database so if you don’t familiar with this type of database see this

🏴‍☠️
https://cybertalents.com/challenges/web/inbox
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md