BSides Canberra 2018 CTF Write-Up: Rollplay

This is a write-up of the Rollplay challenge from the BSides Canberra 2018 CTF. This challenge was worth 100 points.

Ha, I stumbled on this silly payroll system when playing around with networks.

There’s a flag somewhere in here for you, just to get you warmed up.

https://salary.libctf.so/?codename=johnny

This challenge was one of the easier ones in the CTF. Immediately by reading the description, it is worded in a way that implies it is something easy to do and shouldn’t take too much time.

As we entered the website above we first saw a URL parameter and a database-like system. Changing the URL parameter to something arbitrary resulted in an empty table being returned. At this point we inferred that it used some kind of database system, so it was worth trying some kind of SQL injection into the URL parameter. We entered the following parameter:

https://salary.libctf.so/?codename=johnny’ OR ‘1’=’1

This injection breaks out of the internal SQL syntax and employs the classic example of the OR ‘1’=’1 injection to return all rows in a table. In this challenge, the flag was returned in the following table:

…and in the last row of the table the flag is returned in plain text!

Thanks to the Elttam for organising the CTF and providing this fun challenge involving an SQL injection!