challenge hint: Mario vừa phát minh ra một chương trình Web Browser ;). Đây là bản demo, nếu bạn hứng thú hãy gửi *coin* về root@wargame.vn ;)
To begin with, the very first thing you have to do in web hacking is that you need to see the real responses of every pages you request from server (it means that view page's source through web browsers is not enough!):). You will notice at the end of the page the comment :
flag in ./flag.php
Therefore, this challenge require us to access to that file. Is that so easy? Let's do it by get a link:
http://challenges.wargame.vn:1337/misc200_7c51d1b6cabdef3792760bc340f868ba/flag.php
What you get is ACCESS DENIED xxx.xxx.xxx.xxx
where
xxx.xxx.xxx.xxx is your IP
Ok, try to fake remote ip address by using X-Forwarded-For. Set it to a IP of wargame.vn's IP but the response does not change.
I realize that I need to access that flag.php by using MariOpera v.1.0 (demo version) since it is located at the same host with that flag.
Now, go back to that browser and put something into the address bar:
first, google.com -> it displays a message:
Send your 
to root@wargame.vn in order to get access to more website
try another one: vnsecurity.net: -->it works.
Let's try another one: vnsecurity.net.vn -->lol, you are redirected to http://thongbao.vnnic.vn/
one more link: vnsecurity.net.vn/about-us/ -> it works.
It means that this browser accepts only vnsecurity.net and it might check only first fourteen letters that match to vnsecurity.net and we can put anything behind.
What special character can be put? only "@" is the most possible one (In reality, when you visit a webpage requires username and password you can put them together in url like username:password@site.com). Now, let's put our link together : vnsecurity.net@challenges.wargame.vn:1337/misc200_7c51d1b6cabdef3792760bc340f868ba/flag.php
ACCESS DENIED for 210.211.125.85where 210.211.125.85 is an IP of wargame.vn
It works! We can inject our address to that browser successfully.
Think about the code of flag.php. It may denies all IP address and allows only local access. Let's replace challenges.wargame.vn by localhost and we get the flag :)
FLAG: mario_lolz@url
No comments:
Post a Comment