forensicsPromedium
Украденный флаг (Stolen flag)
bug-makers
Task: only an nginx access log is given; attackers used sqlmap SQLite time-based blind SQLi (RANDOMBLOB delay) to exfiltrate a flag, then deleted it. Solution: reconstruct each hex nibble of HEX(flag) not from noisy 1s-resolution timing, but from the deterministic DIRECTION of sqlmap's binary-search probe values, then resolve the remaining 1-bit-per-nibble ambiguity with printability and flag-format/leetspeak constraints.
$ ls tags/ techniques/
sqlmap_binary_search_reconstructionprobe_direction_recoverytiming_side_channel_from_logsrandomblob_delay_analysisconstraint_satisfaction_flag_recoveryhex_nibble_decoding
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [forensics][Pro]Investigation— taipanbyte
- [web][Pro]Путь к флагу— bug-makers
- [web][Pro]Совсем слепая инъекция (Completely Blind Injection)— bug-makers
- [web][Pro]Login (easy)— spbctf
- [forensics][Pro]Mem— spbctf