Tags: web
Rating: 5.0
So, we're beginning with a login page, and nothing else.
We
were trying fastly some SQL injection payload and find that it seems to
be a Blind SQL Injection (edit: it seems it wasn't. Damn it!). So... we just want to retrieve the first
password from the database. Let's try it out!
I just make a little and dirty php script to make it a little faster. Here it is :
<span>
</span>
We
fastly find that the hash for the admin user is
26a340b11385ebc2db3b462ec2fdfda4, that can be reverted to a plain
password that is "<span>catchme8". The login is admin. So let's login with it.
We're
on an admin part that permit to launch some ping on a host and upload a
CV. It seems there is a help.pdf file in the menu, but it's returning
404 error. Just looking the url : http://ctf.sharif.edu:35455/chal/hackme/c0612cb67577a1e8/file.php?page=aGVscC5wZGY
The
page parameter seems to be some b64 encode, and it is effectively the one for "help.pdf". Just try to base64_encode ../index.php to view if there
is a possibility of downloading the index.php : http://ctf.sharif.edu:35455/chal/hackme/c0612cb67577a1e8/file.php?page=Li4vaW5kZXgucGhw.
Yes it is, it ask us to download a pdf file! Just open it with a text editor to view the source.
Seems there is nothing really interesting but a line keep my attention :
</span>shpaMessagePush("error: saved in sensitive_log_881027.txt");<span>
</span>Just try to download this file
http://ctf.sharif.edu:35455/chal/hackme/c0612cb67577a1e8/file.php?page=Li4vc2Vuc2l0aXZlX2xvZ184ODEwMjcudHh0
The flag were in it!
