Paginator v2 is a web challenge found on ctf.nullcon.net during NullCon CTF 2025, which requires participants to utilise SQL injection in order to uncover a flag encoded in base64
The challenge webpage initially creates a table and populates it with data in the background, with the flag not directly stored in this table, as per previous versions of the challenge
Using a UNION-based injection payload to ascertain the contents of a presumed “flag” table, where the table number is guessed and the rank is determined with an asterisk, allows the flag to be revealed
The flag is then deciphered using online decoding tools, with the solution being: “FLAG: ENO{SQL1_W1th_0uT_C0mm4_W0rks_SomeHow_AgA1n_And_Ag41n!