Mittwoch, 18. Januar 2012

Nullcon Ctf 2012 Web Writeup

Level 1

adding a will trigger a 503 error

The server just emulated the bug, so you had to guess the right solution string.


Level 2

Can you redirect ME to

First idea was trying http response splitting, but you won't get real feedback. I guess it's emulated again. At the end the following request did it.

GET /challenge/wlevel-2-proc.asp?page=%0d%0a%0aHTTP/1.1%20302%20Moved%20Temporarily%0d%0aLocation:%20

Level 3

Login System

Click here to Login
Click here to Register
Invalid Flag. Please try again.

Registration using
and we get
Debug Info: INSERT 'Admin125|admin|admin||admin:no|comment:new user' INTO USER DB FILE

changing to:

Login as Admin126 and you get

Welcome! You are logged in as ADMIN!
Flag: b3149ecea4628efd23d2f86e5a723472

Level 4

Can You Get Me all the Data?


Check for XPATH injection
We get 11 presidents of india

trying flag as node name and identify lenght of the flag

bruteforce using

We get "Web+Level+4", but this is not the solution.

So trying to get all data.
Doing some experiments and get the count of all entries.

11 presidents but 12 nodes?

Either you guess the node name or you bruteforce the server with blind XPATH attacks like me.

After searching for the node //value

Flag: myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappear

Afterwards i got non blind solutions from others

1: '] //* | //* ['1' ='1
2: 2002']/parent::node()[position()='1

Web Level 5

Do You Have What IT Takes to Break into the World's Most Secure Login System?

SQL injection with recaptcha?

If you insert ' OR ''=' you will be detected, so no spaces are allowed.

You can try '=' which should build a query like "where username=''=''" and this will be true.

In our case inserting '!=' or '<>' in username and password will pass the test.

username = '' != '' and password = '' != ''

Why is this working? The query is executed here from left to right.
username = '' is FALSE
FALSE != '' is TRUE

For SQLite: "Arithmetic, boolean, relational and bitwise operators are all left to right associated."

Flag: 47c1b025fa18ea96c33fbb6718688c0f

For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Keine Kommentare:

Kommentar veröffentlichen