Yogosha Hackitivist Challenge 2019

I started with hackitivist1 and found that the provided link was vulnerable to blind SQLI, so I started digging more into it.

As you can see in the picture below (Figure 1) that after running SQLMAP, I was able to find the database.

And then after, I found the username, password, and secret key

Unfortunately, it was not working so I thought to check the request in the burp and again I found nothing suspicious. So, I started looking for more columns and started dumping all the data and found one column which contain the text (Figure 3). In the text I found a hidden path /10ad_h1dD2n.php which gave me the next hint.

When I opened the path /10ad_h1dD2n.php there I found a box secret_url (Figure 4) and I tried secret.txt as it was mentioned above and that’s all that was coming to my mind.

I got one hint from one of the team members from ctf@yogosha.com as they told me to try LFI and I tried ../../../../etc/passwd and I got the etc/passwd

After that I tried to read php source code of login.php but I was not able to read it.

I thought let’s just change the directory and put ../login.php and got the source code of the file

After finding the source code I did php juggling (Figure 8 and 9) to find the secret key.

With that secret key I was able to login with the same credentials which I got from SQLI and got the flag

That was amazing. thanks for the CTF.





Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.