31c3 CTF – 5CHAN Write-up

This is my write-up for one of the easier challenges in the 31c3 CTF: 5CHAN. The information to get started the challenge with the challenge was:

5CHAN? never heard of this image board, but they have exactly what we need, the picture we’re looking for is not for public, so can you get it?

When visiting the URL, we are presented with an nice image-board.


Fuzzing around a little with the URL-parameters shows that this board is clearly vulnerable to SQLi:′

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/__pages/__pic.php on line 8

The first few id’s are the images shown on the index-page. Let’s try and see if there’s another image in the database: OR id > 8

And there it is, an image containing the flag: 31c3_st0Pp_Us1nG_==_&&_St4rt_Us1Ng_==


An alternate solution starts with

User-agent: *
Disallow: /.OurBackupz/

which leads to the full php-sourcecode and a backup of the database:

Index of /.OurBackupz
[ICO]    Name    Last modified    Size    Description
[PARENTDIR]    Parent Directory         –     
[ ]    backup-data-23.12.2014.tar.bz2    2014-12-23 21:47     433K    
[ ]    db.sql    2014-12-23 21:45     12K    
Apache/2.4.10 (Ubuntu) Server at Port 80

Which is nice and all, but we don’t really need this much info ;-)