This is a guest post written by Daniel who is part of the CyberStart Community.
Find out the tips and processes players use to solve CyberStart’s challenges
Daniel walks through a challenge in CyberStart’s HQ base and shows how he solved it.
Note: This blog contains spoilers and solutions to HQ L06 C06 - Heroka’s DB
Daniel - HQ L06 C06 - Heroka’s DB
In the last level, we confirmed our suspicions that the car-loving criminals, the Yakoottees, were up to something by finding an escape plan on a gang website.
“Persevering made the challenge so much more rewarding”.
In this chapter, they are after a supercar prototype. In challenge 6, we revisit the gang’s website: www.superspeedfreaks.com.
We accessed the escape plan by sending Linux commands through their vulnerable comment section. If they didn’t filter for command injection, there’s a good chance they aren’t filtering for SQL injection. Now to prepare the attack…
Hold up. What is SQL injection? Let me check the Field Manual.
Seconds of keyboard clacking later.
It’s a way to alter the execution of a database search. Got it.
Now, to reread the briefing with a better understanding. “Think about which SQL query is run when you submit the search form.”
The database is probably selecting car results to display, which match the search input. Based on the examples in the Field Manual, it might look something like this.
SELECT car_details FROM cars WHERE car_name = '<<search>>';
Now, I want to “use SQL injection to get all the results.”
For command injection, I first needed to end the previous command with “;” to add my own code. So how might I end the search box? In the supposed query, a quote mark ’ is used, so that might be it.
Now, how might I display all results? The current WHERE condition only evaluates to true some of the time, so I need a statement that is always true. “1 == 1” should do it. Now, to put together the search.
’ OR 1 == 1
Enter it into the website and… nothing. I must be close though! Let me look back over my command. Ohhhhh!! My programming habits got the best of me (coding equivalency is == not =).
Let me just remove the second “=” and check over the command again. If I put it into the query, it will look like this:
SELECT car_details FROM cars WHERE car_name = '' OR 1 = 1';
Something still seems off about the syntax at the end with the extra ‘. The “;” separates SQL commands, so that should fix the issue.
’ OR 1 = 1;
Yes!!! I got the flag and showed all the results! One step closer to taking down the Yakoottees!
Learn CyberStart’s tips and tricks for programming in our blog post.
Solving a CyberStart challenge is often a rollercoaster filled with ups and downs, and this challenge was no exception. It was exciting to learn about SQL queries and this surprising vulnerability.
Though it was frustrating at times, persevering made the challenge so much more rewarding.
One moment that really helped me grasp the concept was when I initially tried entering my command into the comment field instead of the search bar. Realizing that a SQL query would only be run on the latter drove home the concept of SQL and how it integrates with a website.
Discover more tips and walkthroughs of another HQ case in our Choppers blog post.
Thank you, CyberStart, for this amazing platform and so many educative challenges! Here’s to many future solutions!