Hotdog Stand

2023-10-07 :: Parsa Djavateri (ZEBR0Z) from SunshineCTF2023

In the not-so-distant future, robots have taken over the fast-food industry. Infiltrate the robot hotdog stand to find out whatjobs still remain.

https://hotdog.web.2023.sunshinectf.games

Solution

Visiting the website presents us with this welcome page:

Pasted image 20231009120212.png

Starting with basic enumeration, our nmap and dirbuster scans came back with nothing of interest. I tried some default password such as 123:admin and 123:password but those also failed.

Visiting the robots.txt directory presented us with the following:

Pasted image 20231009122101.png

Visiting /hotdog-databse/ downloads a file to our system called robot_data.db.

Simply viewing the database file presents us with mostly garbled schema with a couple of interesting parts:

Pasted image 20231009123427.png

We can tell that the database is in the sqlite3 format and that there is a table within it called credentials. I also thought that the RobotID field would be an integer but it turned out to be a string.

![Pasted image 20231009123957.png]

Logging in with the credentials hotdogstand:slicedpicklesandonions presents us with the flag sun{5l1c3d_p1cKl35_4nd_0N10N2}

Pasted image 20231009124305.png