Bio terra CTF was good for us, I have managed to solve 2 web challenges which was easy, one was SQL Injection and another one was local file inclusion.
Web - 50
The site was very basic site which just had one link, I was looking for an injection point. I was able to find the injection point while intercepting the link. When we click the link, 2 parameter - count and commit was sent using post request. When we change the count there was an application error, I realised that it would be an SQL Injection. The final payload was :
curl --data "count=100 union SELECT 1,description,2 from Stones --" http://magical.bioterra.xyz/shop.py
Web 100
This website had music player in one of its pages, I noticed that music player was loading files using javascript. The javascript had link, there was something wrong. While testing with the parameter I came to know there was local file Inclusion. The payload is
http://sounds.bioterra.xyz/stream_song.php?file=../admin/config.php
Thank you