This is my write-up for one of the easier challenges in the 31c3 CTF: 5CHAN. The information to get started the challenge with the challenge was:
5CHAN? never heard of this image board, but they have exactly what we need, the picture we’re looking for is not for public, so can you get it?
When visiting the URL, we are presented with an nice image-board.
Fuzzing around a little with the URL-parameters shows that this board is clearly vulnerable to SQLi: http://184.108.40.206/?page=pic&id=1′
Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/__pages/__pic.php on line 8
The first few id’s are the images shown on the index-page. Let’s try and see if there’s another image in the database: http://220.127.116.11/?page=pic&id=-1 OR id > 8
And there it is, an image containing the flag: 31c3_st0Pp_Us1nG_==_&&_St4rt_Us1Ng_==
An alternate solution starts with http://18.104.22.168/robots.txt
which leads to the full php-sourcecode and a backup of the database:
Index of /.OurBackupz
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory –
[ ] backup-data-23.12.2014.tar.bz2 2014-12-23 21:47 433K
[ ] db.sql 2014-12-23 21:45 12K
Apache/2.4.10 (Ubuntu) Server at 22.214.171.124 Port 80
Which is nice and all, but we don’t really need this much info ;-)