Codegate2013 Web300 Writeup

This problem first presents a letter, in which the author asks Sherlock to find someone related to hacking case. The letter gives a blog address as clue to find the wanted one.

By analyzing the blog js code we found the js/secret.js rather suspicious. By unpacking and decrypting it we get the following code:

eval $(document).ready(function(){var cnt=0;$('a.S').click(function(){cnt++;if(cnt==10)   {$('#popup').bPopup({contentContainer:'.content',loadUrl:'./d56b699830e77ba53855679cb1d252da.php'});cnt=0}})});

, which discloses a secret login page url: (md5 of “login”). It can be accessed by clicking ten times on “Grey” logo.

Then we find a post form at, we use sqlmap to identify if there is possibility of sqli. Luckily there is.

python -u "" --data="your_name=1&"

sqlmap identifies time-based blind sqli on parameter “question”. We then try to dump possible databases. Time-based blind sqli is slow and sensitive to network traffic load, so remember not to press your network connection when do time-based blind sqli.

Databases “the_grey” is found, with two table – “contact” and “user”. “user” contains three columns “no”, “id”, md5 “password” and five rows. Using this information we login the blog and in page we get the one who intend to hack Hound Co.,Ltd. and time the company is hacked.

That’s the key.