I navigated to the given *address* in web browser.


The website uses really awesome *Grafana* dashboard.

There are *login* page, *search* page,etc and I tried XSS,Sqli,... in there but nothing worked.

But, when I opened *network* tab, I found an interesting *post* request to **query**.


In the body of the request, I found a **sqlite query**.


There must be a database in the backend!!!

I tried to edit the *query* with the one that could give me the list of *tables* in the database and sent it.

*payload*: `SELECT name FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%';`


In the response, there were list of tables ( **logs** and **flags** ).


There must be **flag** in `flags` table.

So, I used `SELECT * FROM flags;` payload to get everything in `flags` table;


Response


And, there was the flag!

*flag*: `ractf{BringBackNagios}`

Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/RACTF_2021_Writeup/Web/Really%20Awesome%20Monitoring%20Dashboard).