Table of contents
Understanding the Challenge
This challenge gives us 1 file:
welcome-admin.tar.xz: XZ compressed data, checksum CRC64
which gives us a directory of a Docker project containing 2 files and a directory when extracted:
docker-compose.yml: ASCII text
Dockerfile: ASCII text
src: directory
and a link: https://welcome-admin.france-cybersecurity-challenge.fr/, which points to an admin login on a web page
The website seems to use SQL for managing the database, and the challenge description also mentions SQL this already makes me think this challenge revolves around an SQL injection
Solution
Navigating to ./welcome-admin/src shows us 1 file and directory:
templates: directory
welcome-admin.py: Python script, ASCII text executable
opening the Python file shows us the website database checks
Looking at the code validates my previous theory and I run a primitive SQL injection
' OR '1'='1
which gives us the flag:
FCSC{94738150696e2903c924f0079bd95cd8256c648314654f32d6aaa090846a8af5}