picoCTF Solutions
picoCTF 2026Web ExploitationMedium

Sql Map1

Published: March 20, 2026

Description

You've been hired by a shadowy group of pentesters who love a good puzzle. Sloppy code and legacy hashing practices left a tiny, perfect doorway for an attacker. Slip through that doorway, act as a legit user and retrieve the secret flag.

Setup

Launch the challenge instance and open the web application.

Install sqlmap if not already available: pip install sqlmap

Solution

  1. Step 1Find the injectable parameter
    Explore the web app for search or filter functionality. The search endpoint's query parameter is vulnerable to SQL injection.
  2. Step 2Run sqlmap to dump the database
    Use sqlmap to automatically identify the injection point and extract the users table, which contains hashed passwords.
    sqlmap -u 'http://HOST:PORT/search?q=test' --batch --tables
    sqlmap -u 'http://HOST:PORT/search?q=test' --batch -T users --dump
  3. Step 3Crack the MD5 hash
    The dumped password for the admin user is an MD5 hash. Crack it using CrackStation or hashcat.
    # Online: paste hash at crackstation.net
    hashcat -m 0 hash.txt rockyou.txt
  4. Step 4Log in as admin and read the flag
    Use the cracked password to log into the admin account. The flag is displayed on the admin dashboard.

Flag

picoCTF{sql_m4p_m4st3r_...}

The flag is on the admin dashboard, accessible after cracking the admin's MD5 password found via sqlmap.