[squeal]: print challenge information

2l/2l.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
-# Read the contents of the file flag.txt using only 2 letter commands
+# Read the contents of the file flag.txt using only 2-letter commands
+
+echo Read the contents of the file flag.txt using only 2-letter commands
 
 while true; do
     echo -n "$ "

2l/flag.txt

@@ -0,0 +1 @@
+3xtr4l3tt3rs

README.md

@@ -1,7 +1,8 @@
 Challenges: (ranked roughly from easiest to hardest)
  -  put user in a python shell, have them try to read the flag from a file
- -  2l.sh - read flag from a file using only 2-letter shell commands
- -  approved.pl - read flag from file using only the commands ls, pwd, whoami
- -  patience.c - find the code from a binary executable that will print the solution in 1 year's time
+ -  `2l.sh` - read flag from a file using only 2-letter shell commands
+ -  `approved.pl` - read flag from file using only the commands `ls`, `pwd`, `whoami`
+ -  `squeal.sh` - perform an SQL injection attack to read the secret flag from the `flags` table
+ -  `patience.c` - find the code from a binary executable that will print the solution in 1 year's time
 
 Make sure there is a different flag for each challenge.

approved/approved.pl

@@ -4,6 +4,13 @@
 
 my @approved_commands = ("ls", "pwd", "whoami");
 
+print("Read the contents of flag.txt. You can only use commands in the approved list.
+Hint: You can supply whatever parameters you like to the command!
+");
+
+print("Approved commands: ");
+print("\n - $_") foreach (@approved_commands);
+
 while (1) {
     printf("\n> ");
     my $command = <STDIN>;

approved/flag.txt

@@ -0,0 +1 @@
+f4ulty_r3g3x

squeal/squeal.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+# Script that accepts the name of an artist and checks if they are currently in our Billboard Top 10 database
+
+echo "This script accepts the name of an artist and checks if they are currently in the Billboard Top 10 table in our database, e.g. Sabrina Carpenter"
+echo "The database also contains a 'flags' table, but you shouldn't be able to access that..."
+
+while true; do
+    printf "Enter an artist's name: "
+    read input 
+
+    sqlite3 database.db "SELECT * FROM singles WHERE artist = '$input'"
+done
+

squeal/tables.sql

@@ -0,0 +1,25 @@
+CREATE TABLE singles (
+    rank INT NOT NULL,
+    title VARCHAR(255) NOT NULL,
+    artist VARCHAR(255) NOT NULL,
+
+    PRIMARY KEY (rank)
+);
+
+INSERT INTO singles (rank, title, artist) VALUES (1, 'Die With A Smile', 'Lady Gaga, Bruno Mars');
+INSERT INTO singles (rank, title, artist) VALUES (2, 'BIRDS OF A FEATHER', 'Billie Eilish');
+INSERT INTO singles (rank, title, artist) VALUES (3, 'Taste', 'Sabrina Carpenter');
+INSERT INTO singles (rank, title, artist) VALUES (4, 'Who', 'Jimin');
+INSERT INTO singles (rank, title, artist) VALUES (5, 'Espresso', 'Sabrina Carpenter');
+INSERT INTO singles (rank, title, artist) VALUES (6, 'The Emptiness Machine', 'Linkin Park');
+INSERT INTO singles (rank, title, artist) VALUES (7, 'Please Please Please', 'Sabrina Carpenter');
+INSERT INTO singles (rank, title, artist) VALUES (8, 'Si Antes Te Hubiera Conocido', 'KAROL G');
+INSERT INTO singles (rank, title, artist) VALUES (9, 'Good Luck, Babe!', 'Chappell Roan');
+INSERT INTO singles (rank, title, artist) VALUES (10,' Beautiful Things', 'Benson Boone');
+
+CREATE TABLE flags (
+    secret VARCHAR(255) NOT NULL,
+    PRIMARY KEY (secret)
+);
+
+INSERT INTO flags (secret) VALUES ('1NJ3CT10N');