Welcome back again with another write-up! Today we will cover Unseen Path to secret web challenge from the ASC Cyber WarGames CTF.

Analyzing a leaked Git repo to extract credentials, then pivot to a SQL injection with heavy filtering to extract the flag.

We are represented with this "Site Under Construction" page

Since fuzzing is not allowed, we can try to find some clues.

Down there Powered by Github · PHP · SQLite · Apache. Immedietly thought about checking /.git/ path

Got Forbidden error, but that doesn't mean we can't access the repo, sometimes it's just blocking this path but not the actual repo inside

SO we tried /.git/config or /.git/HEAD and we got some files!

Aamzing! next we dump it using git-dumper:

This will create a repo folder with all the files inside the git repo.

In the repo we have got some files: index.php, login.php, but both didn't have any good information.

Next thing you usually try is checking past commits

That got use all commits. They were about 50 so for a cleaner view we can use git log --oneline to get a single line for each commit.

And we got an interesting commit message Delete Secrets!

So we check the commit before that one by using git checkout 0a6893d and we find a file named .config.php.swp which contains some credentials

We visit login.php in the website and try to login with the credentials we found and we we are in!

We are presented with an admin panel with some functionalities

There was an action parameter in the URL which we can use to get different pages, tested it against some vulnerabilities like LFI but that yielded nothing.

The only interesting functionality was the Check User (Test) which allows us to check if a user is active or not.

At first I tried OS command injection but there was some kind of filter that blocks out symbols like ; `` > < = $

Next tried sql injection with our basic payload ' or 1=1 -- but that didn't work since = is blocked.

Playing around the payload ' or 1 -- got me User is active which means it returned true and there we have a blind sql injection!

To confirm that, the payload ' or 0 -- got me User not found which means it returned false

After a bit of testing, we discover a filter that blocks <, >, ", union and a lot of other stuff

Now since sqlmap won't work here, we need to find a way to bypass this filter manually.

My friend Korea came up with a payload that uses unicode to bypass the filter

This payload attempts to extract the first table name from the sqlite_master table and evaluates whether the Unicode value of its first character falls within the ASCII range (0–127). I used the BETWEEN operator instead of = since it was blocked. As expected, the condition returned true, confirming that the first character of the table name is indeed within the ASCII range

My friend 0XMohomiester figured out another working payload as well:

Now we need to automate this operation to exfilterate the table names Using the help of AI it made me a script to extract all tables from the database and it did a great job:

The out put was as following

Now we need to get the flag from secrets table we could enamurate the column names as well but my friend assumed the flag will be in column named secret and that assumption was right.

The final script:

And Here is our flag