Points: 150 points + bonus 50
- From the first look we can find that it is an online store to buy sports products. And this must contain a database so let us try that way.
- First of all, find a proper point for injection. For that analyze all entry points.
- It can be found at products page. When click on details of a product it will send a post request, we can identify it as injection point.
- Let us save this raw request and run sqlmap on it and enumerate databases.
python sqlmap.py -r </path/raw.raw> --current-db
- Now we will get the database, now enumerate tables.
python sqlmap.py -r </path/raw.raw> -D bolt --tables
- Something is inside secret table, let’s check it.
python sqlmap.py -r </path/raw.raw> -D bolt -T secret --dump
- Oh, this is some encrypted password, lets decode to base64. That will give, this_is_domectf_secret_salt_text
- Now it is clear it is a part of AES encryption
- Let’s check the user table.
python sqlmap.py -r </path/raw.raw> -D bolt -T users --dump
- Now decode password with the salt will give the admin password. You can use some online AES decription tools for this. https://www.devglan.com/online-tools/aes-encryption-decryption
- Now login to admin account, this will give your flag.