CyberTalents: who is admin challenge
link arabic version : https://root-x.dev/blog/article/who-is-admin-walkthrough
Challenge Name: who is admin
Level: medium
Challenge Description
- Challenge Link: https://cybertalents.com/challenges/web/whoisadmin
- Your mission is to know who’s the admin running this website by knowing his email.
ok run this challenge, open link for this challenge
http://wcamxwl32pue3e6mk873oykcwzy0wl32e56nueze-web.cybertalentslabs.com/
This website is an article site
When you open any article, you will find that it consists of a title, an image, and a simple description
Now look at the source code of the page, there is nothing of interest
Now look at the link of the article, you will find that there is a parameter (id) that calls data from the database according to the id number
query calling data from the database remains written in the backend like this
select * from tablename when id=3Ok, Now we start testing whether in sql injection we add a single quote (‘) at the end of the link we will see if we get an error this error indicates that the database we are dealing with is SQLite
This is good
Let’s do some query in sqlite All data is kept in sqlite_master I will try whether it is available and whether it has data or not https://www.sqlite.org/schematab.html
?id=3+union select * from sqlite_mastervery nice output
Now find out 2 table names. That’s fine Let’s now display the data in the user table (nxf8_users) because we are looking for the admin’s email
?id=3+union select * from nxf8_usersIf we look at the data that we got, you will see that it consists of the name, an image, and a hash (this is the user’s password).
Well, where is the user’s email now? This is what we are looking for
If you inspect the image, you will see that the image path consists of the img folder and the user’s email like this
src="img/alex@secret.org"
This is what we are looking for, but we want the admin’s email to display the source code of the page and test whether this email is required as a flag
This will take a lot of time. Of course, we will try another better way
Better to use sqlmap
sqlmap -u <http://wcamxwl32pue3e6mk873oykcwzy0wl32e56nueze-web.cybertalentslabs.com/shownews.php?id=3> --dump-all-u We put the entire url with the affected parameter
http://wcamxwl32pue3e6mk873oykcwzy0wl32e56nueze-web.cybertalentslabs.com/shownews.php?id=3
— dump-all option to retrieve and dump all database contents.
Taking a little time the data will be displayed as below
The information for table ‘nxf8_news’ will be displayed.
This is what we need now
Nice challenge I hope you learned something useful and contributed to your help
Happy hacking
my likedin Profile : https://www.linkedin.com/in/myelliot/
