CTF — hacker101 — Photo Gallery
FLAG1
So I started off with go buster but didn't find anything interesting there.
As the third picture was not uploaded properly on the website, I’ve decided to look into it, it was failed to load and its title was “invisible”.
I noticed that trying to load the image I'm getting a 500 internal server error.
OK, I just wanted to verify that so I was trying http://xxx/yyy/fetch?id=1 for the first image and getting the binary content of the image, same story for id=2.
When trying http://xxx/yyy/fetch?id=3, boom, status code 500.
OK, so something looks odd here. let's take the hints and see how we going.
So when seeing the word “query” I suspected this is a case of playing with SQL syntax (Our beloved SQLi).
I tried some payloads and then noticed that the ‘id’ parameter is vulnerable to Blind SQLi. When I tried a TRUE payload like ?id=1 AND 100=100 I got 200 OK and when trying a FALSE statement I got 404.
Using this knowledge I decided to pull off the big machine — SQLMAP.
Using SQLMAP, I was able to find the databases, tables, columns and in the end the desired FLAG.
By running this simple command:sqlmap -u http://xxxxxxxx/yyyyyyyy/fetch?id=1 — dbs I was able to find the database — “level 5”. Then, looking for its tables I found “albums” and “photos”.
This, of course, could have been done also using Burp’s intruder, but SQLMAP saved me time.
Then, looking for the columns of each one of them, I found the interesting column “filename”.
Let's dump all this and see if I'm getting the file name of id=3.
And YES! the FLAG for this level is the file name of file=3.
FLAG0
Run some UNION payload without any luck, decided to look at the hints.
This one was an interesting one.
After some amount of time spent on researching, I found the configuration page of ‘uwsgi’ in this Github repository:
https://github.com/tiangolo/uwsgi-nginx-flask-docker
I tried to reach this file and BOOM! got interesting info.
Also in the Github repository, I saw that module = main refers to the file main.py and decided to look for it.
fetch?id=0+UNION+SELECT+’main.py’ got me the FLAG. WHOA.
FLAG2
This one was tough. TBH I tried to complete it for some time and came to the conclusion that I would like to learn from the answer and move on.
Never the less, I learned plenty from the solution, mainly thank this one https://secureops.io/2019/09/magical-image-gallery/.
This one was uploaded by Justin, in the SecureOps platform, so all credit goes to him on this one and I highly recommend learning from this.
Hope you enjoyed, see you next post!
