picoCTF Solutions
picoCTF 2026Web ExploitationMedium

Sql Map1 picoCTF 2026 Solution

Published: March 20, 2026

Description

You've been hired by a shadowy group of pentesters who love a good puzzle. Sloppy code and legacy hashing practices left a tiny, perfect doorway for an attacker. Slip through that doorway, act as a legit user and retrieve the secret flag.

Read the technique guide

Setup

Launch the challenge instance and open the web application.

Install sqlmap if not already available: pip install sqlmap

Solution

Walk me through it
Two chained failures: a search endpoint that concatenates user input into SQL, and an admin password stored as raw MD5. The SQL Injection for CTF guide covers sqlmap automation alongside manual injection; the Hash Cracking guide covers the offline-recovery half.
  1. Step 1Find the injectable parameter
    Explore the web app for search or filter functionality. The search endpoint's query parameter is vulnerable to SQL injection.
    Learn more

    SQL injectionoccurs when user-supplied input is concatenated directly into a SQL query without proper sanitization or parameterization. The database engine cannot distinguish between the developer's intended SQL syntax and the attacker's injected payload, so it executes the injected commands with the full privileges of the database user running the query.

    Search and filter endpoints are particularly common injection points because they often need to construct dynamic queries based on user input (e.g., SELECT * FROM products WHERE name LIKE '%SEARCHTERM%'). Developers sometimes apply input validation to login forms but overlook search functionality, believing it to be lower risk because it only reads data. However, SQL injection can be used for data extraction (SELECT), modification (UPDATE/INSERT/DELETE), and even operating system command execution in some configurations.

    Manual SQL injection testing involves trying payloads like a single quote ('), which causes a syntax error if the input is unescaped; OR 1=1--, which makes a WHERE clause always true; and UNION SELECT statements to append additional query results. Error messages, response time differences, and behavioral changes all indicate injection vulnerability.

  2. Step 2Run sqlmap to dump the database
    Point sqlmap at the search endpoint and let it fingerprint and dump. --batch skips the interactive prompts so you don't have to babysit it.
    bash
    sqlmap -u 'http://HOST:PORT/search?q=test' --batch --tables
    bash
    sqlmap -u 'http://HOST:PORT/search?q=test' --batch -T users --dump
    Learn more

    sqlmap is an open-source automated SQL injection tool that detects and exploits injection vulnerabilities across all major database backends (MySQL, PostgreSQL, SQLite, MSSQL, Oracle). It probes the parameter using four detection strategies: boolean-based blind (compares response diffs between always-true and always-false payloads), time-based blind (injects SLEEP(5)-style delays and times the response), error-based (looks for SQL error reflections like You have an error in your SQL syntax), and UNION-based (appends UNION SELECT to extract data inline).

    The --batch flag suppresses every prompt: "Do you want sqlmap to follow this redirect?", "Skip remaining detection tests for the parameter?", the DBMS narrowing question ("It looks like the back-end DBMS is MySQL. Do you want to skip test payloads for other DBMSes?"), the risk-level prompt, and the dump confirmation. --tables lists tables; -T users --dump extracts every row from the users table.

    Note the DBMS sqlmap reports - it matters. UNION column counts, comment syntax (-- vs #), and string concatenation (|| vs CONCAT) differ between MySQL, PostgreSQL, and SQLite. If you ever drop into manual payloads, you need to know which dialect you're writing for.

  3. Step 3Crack the MD5 hash
    The admin row contains a raw MD5. Try CrackStation first (instant if it's in their lookup table), then fall back to hashcat with rockyou.txt.
    bash
    # Online: paste hash at crackstation.net
    bash
    hashcat -m 0 hash.txt rockyou.txt
    Learn more

    MD5was deprecated for security use around 2004 (Wang's collision paper) and OWASP has flagged it as unfit for password storage since at least 2010. Its weaknesses for password hashing are: (1) it is extremely fast - modern GPUs compute billions of MD5s per second; (2) it has no built-in salt, so identical passwords produce identical hashes, enabling precomputed rainbow tables; (3) collisions are now trivial to construct.

    CrackStation vs hashcat - know when to use each. CrackStation is a precomputed lookup: it indexes ~15 billion known hash-plaintext pairs. If your password is in any leaked breach corpus, the lookup is instant and free. Use it first. If CrackStation comes back empty, switch to hashcat: GPU-accelerated wordlist + rules attack. -m 0 selects raw MD5; rockyou.txt (14 million passwords from the 2009 RockYou breach) is the standard starting wordlist. Add rules like -r best64.rule to mutate each candidate (capitalization, common suffixes, leetspeak).

    Modern best practice is bcrypt, Argon2id, or scrypt - adaptive functions designed to be slow and salted. They drop GPU throughput from billions/sec to thousands/sec, making cracking infeasible for any non-trivial password. See the Hash Cracking for CTF guide for a fuller hashcat workflow.

  4. Step 4Log in as admin and read the flag
    Use the cracked password to log into the admin account. The flag is displayed on the admin dashboard.
    Learn more

    With a cracked password, the attacker gains full authenticated access to the admin account - the same access a legitimate admin would have. This is called credential-based access and is often more impactful than direct exploitation because it bypasses many secondary security controls (IP allowlists, MFA in some configurations, security monitoring alerts for unusual activity patterns).

    This challenge illustrates a complete attack chain common in real penetration tests: SQL injection extracts the credential database, offline cracking recovers plaintext passwords, and those credentials enable authenticated access to administrative functions. The combination of an injection vulnerability and weak password hashing creates a two-step path to full compromise. Each vulnerability alone might be rated medium severity, but chained together they become critical.

    Defense-in-depth against this attack chain requires addressing every layer: parameterized queries (prevent SQL injection), strong password hashing with bcrypt/Argon2 (prevent credential recovery even if the database is dumped), and multi-factor authentication (prevent login even with a known password). Removing any single link in the attack chain would have stopped this exploit.

Flag

picoCTF{sql_m4p_m4st3r_...}

The flag is on the admin dashboard, accessible after cracking the admin's MD5 password found via sqlmap.

How to prevent this

Two independent failures chained here: injectable query and crackable hash. Either fix kills the attack.

  • Use parameterized queries everywhere. cursor.execute("SELECT * FROM products WHERE name LIKE %s", (q,))is safe; string concatenation never is. Modern ORMs (SQLAlchemy, Prisma, Hibernate) parameterize by default; just don't reach for raw SQL.
  • Hash passwords with bcrypt, argon2id, or scrypt. MD5 / SHA-1 / SHA-256 are designed to be fast; password hashes need to be deliberately slow. A cost factor of ~250ms per hash makes GPU cracking infeasible.
  • Add MFA on admin accounts and least-privilege the database user. The web app should not have permissions to read the users table outside the auth flow, let alone UNION SELECT against it.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for Web Exploitation

Related reading

What to try next