The objective of this challenge was to play the role of Sherlock Holmes and to figure out who and when the person asked the hacker group to hack “Hound Co.,Ltd.”.
Contents of secret.js:
The obfuscated code was easily deobfuscated by http://jsbeautifier.org/ :)
Candy: md5(login) = d56b699830e77ba53855679cb1d252da
Examination of the site did not show any obvious sign of possible SQL injection flaw. Do you know of any tools that can assist you to look for such flaws?
There are several tools that can automate the process of detecting and exploiting SQL injection flaws and sqlmap, an open source penetration testing tool, is the tool widely used for this purpose.
Command used to identify time-based blind sqli with parameter “question”:
Subsequently commands were issued to identify the databases, tables and table entries:
Put the passwords through md5 decrypter to be decrypted:
Logged in with the credentials for victor and solved the mystery! 300 points in the bag. Yay!