SQLiLite — picoCTF

An excellent challenge for practicing SQL injections. A machine from the web exploitation category worth 300 points.

Stap 1-we need to go to the website of https://picoctf.org/ and find a challenge called “SQLiLite”:

The explanation does not give us many details. To start the challenge we need to click on “Launch instance” (note: we have a 15 minute timer to solve the challenge).After that an option opens to us that says “Try to login here ” we need to link on website.

Step 2-Search the flag:

To solve the challenge, we are going to use the Burp Suite tool. So, let’s open the challenge through its browser.

When we start the challenge, a login window will open. We will enter a username and password and see what it gives us. Make sure that intercept is on.

Return to the PROXY window -> right-click the mouse -> send to repeater, switch to the repeater tab at the top and click on send. We need to reach a window that looks like this.

The only thing that interests us in the message we received is the bottom line of the username and password. We will change the username part to an SQL query — ‘ OR 1=1 — — — and click on send.

Voilà!!! We got the flag we were looking for. All that’s left is to copy the flag, close the intercept, go back to the picoctf website, and paste the flag we found there.

picoCTF{L00k5_l1k3_y0u_solv3d_it_ec8a64c7}