capture the flag, hacking, owasp, web application security

PicoCTF 2017 – My First SQL

Another day, another challenge.

Today’s blog post we will be solving the challenge, “My First SQL” from the PicoCTF.

Let’s get started.

Going to the challenge we see:


OK… we need to access a website, but we do not have the password. Let’s see what the hints give us.


Clicking the website link we see:


Doing a right click, view page source we see:


We do not see anything useful. We have a form that is looking for a username and password.

Going back to the hints, let’s do a Google search of SQL Injection.

After doing the search we have a link, that specifies how to do a SQL injection to do login bypass.

Let’s do it.

Going back to the website, we see that we have a username and password.

Let’s try using a username of “admin”

and a password of ” ‘ OR ‘1’=’1′ ”


Pressing login we get:


We found the flag, and acquired 50 points!