WWCTF 2025 — The Needle

WWCTF 2025 — The Needle

Hack, solve, and conquer — a CTF designed to challenge minds of all levels.

The Needle — A Tale of Burp, Blindness, and Brute-Force Brilliance

They said, “It’s just a beginner challenge.”
I said, “Cool. Let me just interrogate your database..”

The Mysterious Portal

One day, in the dim glow of my terminal, I stumbled upon a suspiciously innocent-looking webpage 😯

There it was:
A search box.
A button.
And a message that mocked me with every keystroke:
“Can you find the needle?” 😶‍🌫️

A lie.
A riddle.
A trap 💀.

So naturally, I did what any responsible cybersecurity enthusiast would do: 😎

🕵️‍♂️ I inspected the source code.

🎥 The Smoking Gun (PHP edition)

if(isset($_GET['id'])) {  
            @$searchQ = $_GET['id'];  
            @$sql = "SELECT information FROM info WHERE id = '$searchQ'";  
            @$result = mysqli_query($conn, $sql);  
            @$row_count = mysqli_num_rows($result);  
              
            if ($row_count > 0) {  
                echo "Yes, We found it !!";  
            } else {  
                echo "Nothing here";  
            }  
            $conn->close();  
        }

💀 The ‘@’ signs were trying to hush the errors, but they couldn’t silence the truth…

There it was: raw, vulnerable SQL Injection, ripe for exploitation.

Time to go full Matrix Mode😈

🎯First Blood — The Injection Begins

I whispered to the search box:

?id=1' OR '1'='1

And it replied, like an obedient pet:

✅ Yes, We found it !!

🕳️ We were in.

But then…

No output.
No data.
Just that same boring message😬

It’s like finding the treasure chest but the loot inside says: “LOL. Just kidding.” 😐

So what now?

🕶️ Welcome to Blind Town

I cracked my knuckles.
Blind SQL Injection, huh?

I turned to my old friend — Burp Suite 🤓.

Together, we’ve broken tougher firewalls and spilled more secrets than a reality show contestant.

It was time to brute-force the truth, one character at a time.

⚔️ The Interrogation Begins

The plan:
Torture the database… politely.

I constructed the ultimate query:

?id=1' AND SUBSTRING((SELECT information FROM info LIMIT 1), 1, 1) = 'w' -- 

If the first character was ‘w’, the page would say:

✅ Yes, We found it !!

If wrong:

❌ “Nothing here”

🎩 I set up Burp Intruder:

• Position: Replaced 'w' with a wildcard: §A§
• Mode: Sniper (no actual snipers were harmed)
• Payload: A–Z, a–z, 0–9, symbols
• Grep Match: "Yes, We found it !!"

I hit “Start Attack”, sat back, and watched as Burp brutally guessed each character.

Letter by letter, pixel by pixel, the flag emerged from the shadows.

🚨 The Flag Rises

After minutes of delicious digital interrogation, the secret was finally unveiled:

wwf{s1mpl3_***}

(No spoilers here, let the thrill of discovery be yours😜)

Epilogue: Lessons from the Needle

• Never trust a quiet PHP script.
• If there’s no output, look for a side-channel.
• Burp Suite is not just a tool — it’s a lifestyle.
• Brute-forcing may be noisy, but truth has a way of screaming back.

This Summer: The Needle: Burp Protocol

You can check out more of my work here:

• 🔗 GitHub: github.com/Bl0ss0mX5
• 📝 Medium medium.com/@bl0ss0mx5