InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

picoCTF writeup: Introductory web application injections

Aleksey
InfoSec Write-ups
Published in
6 min readMar 31, 2023

--

picoCTF (n.d.) recently finished their 2023 capture the flag. Like their previous capture the flags, they came with a number of web exploitation tasks for their contestants to solve. In this article, I will discuss my experience working out a flag for two of them: the first is SOAP which discusses XXE injection and the second is More SQLi, which, like its title implies, is a more commonly known class of vulnerabilities: SQL injection.

Some image components from Junior (2022).

Contents at a glance

  1. Procedure
  2. End matter
  3. References

Procedure

Before proceeding, I must define the objectives for these picoCTF challenges. For both SOAP (Njogu 2023) and More SQLi (Mikail 2023), the ultimate goal is to work out the “flag,” which is a string that is to be obtained through hacking techniques. The methods need not be the ones prescribed by the room, but it is recommended that they are used.

Note that in order to access these challenges, the reader may need to have a picoCTF account and sign in to the picoCTF website with it.

--

--

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

No responses yet

Write a response