webhacking.kr - 0ldzombie challenge writeup 2
Jun 12, 2015 •
0ldzombie,
WebChallenges
0ldzombie has a great collection of
Webhacking challenges which ranges from very basic ones to some very advanced attacks. We really enjoyed playing the challenges and here are the writeups.
I hope you have been through the 0ldzombie challenge 2 writeup. Now let us discuss the next challenge. Challenge 1 was fairly easy and straight forward while challenge 2 is a 500 point problem, so it’s not as easy like the last one. So let us see the way I approched the problem.
Note:
I am putting up the write up on my blog so that if you are not able to complete the challenges after trying it for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.
Just like always, the first thing to look into is the source code of the challenge. At the first look, you might not see anything special in it.
Anything looking suspicious ? Yes, the admin/
directory is directly exposed and if you go the url, it asks for admin password. Alright, so what now ? SQLi in the admin password box ? Well, I tried everything I could, but didn’t work. So I went back and took a look at the cookies in the page and I was suspicious when I saw a cookie named time
. Strange isn’t it ? Also, one more notable thing is that the time is commented in the page source code like this <!--2015-06-13 12:53:02-->
. Did anyone notice that in the first look ? Well, I didn’t !
Alright now let us tamper with cookies for sometime. I tried several things but then an idea struck me when I successfully got a Blind cookie based injection. Let us say the value of the time
cookie is now 1434124382
. I just modified the cookie value to 1434124382 and 1=1
and in the source code, the time comment got changed to 2070-01-01 09:00:01
. Well that’s strange isn’t it ? Now let us make the condition false by changing the cookie to 1434124382 and 1=0
and I checked the source again. The comment just got changed to 2070-01-01 09:00:00
.
You got the point? The moment the condition goes wrong, the last bit of the comment changes to 0
and if the condition is true, the last bit is 1
. This is exactly what we wanted to have a successsful exploitation.
Also, in the same challenge, if you go to the board section, you can see that there is a message on the board, and if you click on the subject, they will ask you for the password. So basically, we need 2 passwords for a successful exploitation. I assumed that the admin password will be saved in a table named admin
and I got a hint that the board password is in a table named FreeB0aRd
. The main problem with the Blind injection is that if we try to do the same manually, it will take too much time. So I tried automating it in python and here is my code:
Grab the script from Github
So from this, you can get both the passwords, ie, the admin password and the board password. If you try to login with the board password, you will get a zip file to download which is password protected. Now login as admin
in “admin/” page and you can get the password to unlock the zip archive.
If you solved the challenge in an easier way, do let me know. Let us share and learn :)
Anirudh Anand
Product Security ♥ | CTF - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE