CTF Writeup

March 14, 2019

The Name Game Cranberry Pi terminal challenge

📍 Minty Candycane at left bottom corner of the main hole.

Hi, I’m Minty Candycane.

Can you help me? I’m in a bit of a fix.

I need to make a nametag for an employee, but I can’t remember his first name.

Maybe you can figure it out using this Cranberry Pi terminal?

The Santa’s Castle Onboarding System? I think it’s written in PowerShell, if I’m not mistaken.

PowerShell itself can be tricky when handling user input. Special characters such as & and ; can be used to inject commands.

I think that system is one of Alabaster’s creations, He’s a little ... obsessed with SQLite database storage.

I don’t know much about SQLite, just the .dump command.


PowerShell Command Injection > PowerShell Call/& Operator

SQLite3 .dump’ing > SQLite3 Data Dump


1- First let’s shape our command that we need to dump the database:
sqlite3 dbname.db .dump

2- We need to know our database name so Let’s try the options :
Option 1 > doesn’t show any data or error


Option 2 > test a random url here >


Our database name : onboard.db

3- Adding the call operator & to command to allows us to execute our command , the & call operator will force PowerShell to treat the string as a command to be executed, Also at the end we will add ; to separating commands with Semicolons :
& sqlite3 onboard.db .dump;
You can find more about separating Commands with Semicolons here :

4- Let’s try injection with our command in option 2:


Great ! successful Command Injection.

5- Select output from terminal and copy to notepad or you can use Online SQLite viewer like

6- Search for the employee with last name Chan, we will find one employee as following:
INSERT INTO “onboard” VALUES(84,’Scott’,’Chan’,’48 Colorado Way’,NULL,’LosAngeles’,’90067’,’4017533509’,’[email protected]’);


7- Enter the first name Scott into runtoanswer same as we did our command injection :
& runtoanswer



Thank you so much for your help! I’ve gotten Mr. Chan his name tag. I’d love to repay the favor.

Have you ever visited a website and seen a listing of files - like you’re browsing a directory? Sometimes this is enabled on web servers.

This is generally unwanted behavior. You can find sleighloads of examples by searching the web for index.of.

On a website, it’s sometimes as simple as removing characters from the end of a URL.

What a silly misconfiguration for leaking information!


Finding Browsable Directories

On a website, finding browsable directories is sometimes as simple as removing characters from the end of a URL.

Website Directory Browsing