DerbyConCTF Flag: HopeSolo

October 14, 2014 — Leave a comment

The 10.10.146.187 host also happened to contain a database (or more, dunno).  That was an easy enough to figure out upon visiting the website:

Screenshot from 2014-10-12 23:47:08Obviously (or maybe not), that meant it was time for some old-fashioned SQL injection.

I entered whatever as the username and ' or '1'='1 as the password:

Screenshot from 2014-10-13 00:00:16 Screenshot from 2014-10-13 00:00:42

That resulted in the flag HopeSolo which was worth 40 points.

While reviewing my screenshots to make this blog post, I came to the embarrassing realization that I SERIOUSLY overlooked one should-have-been-obvious flag and another that was buried in that index file.  Proof that the once-reliable grep command has it’s limitations.

I’ll blog about that tomorrow.

Aaron Melton

Posts

No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

*