I started with hackitivist1 and found that the provided link was vulnerable to blind SQLI, so I started digging more into it.
As you can see in the picture below (Figure 1) that after running SQLMAP, I was able to find the database.
And then after, I found the username, password, and secret key
Unfortunately, it was not working so I thought to check the request in the burp and again I found nothing suspicious. So, I started looking for more columns and started dumping all the data and found one column which contain the text (Figure 3). In the text I found a hidden path /10ad_h1dD2n.php which gave me the next hint.
When I opened the path /10ad_h1dD2n.php there I found a box secret_url (Figure 4) and I tried secret.txt as it was mentioned above and that’s all that was coming to my mind.
I got one hint from one of the team members from [email protected] as they told me to try LFI and I tried ../../../../etc/passwd and I got the etc/passwd
After that I tried to read php source code of login.php but I was not able to read it.
I thought let’s just change the directory and put ../login.php and got the source code of the file
After finding the source code I did php juggling (Figure 8 and 9) to find the secret key.
With that secret key I was able to login with the same credentials which I got from SQLI and got the flag
That was amazing. thanks for the CTF. 🙂