webhacking.kr - 0ldzombie challenge writeup 5

Jun 13, 2015 • webchallenges, 0ldzombie

0ldzombie has a great collection of Webhacking challenges which ranges from very basic ones to some very advanced attacks. We really enjoyed playing the challenges and here are the writeups.

Well, the last challenge was pretty easy and I was dissapointed since it was not very challenging. And I had a feeling that next one will be awesome and fortunately, it is !

Note: I am putting up the write up so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.

Well, when you open this challenge, the first thing you see is a login page and a join page. As always I looked into the source code and saw that the login is redirected to mem/login.php and if we click on join, it says access denied. Also, if we try to login to the page, it says we need to login as admin. So obviously something is fishy about the join.php right ? Also I assumed that since login.php is redicrected to mem/login.php, I directly tried to go to mem/join.php and it returned a blank page. Looking at the source code, I saw a type JavaScript obfuscation. Let us copy and beautify it:

<script>
    l = 'a';
    ll = 'b';
    lll = 'c';
    llll = 'd';
    lllll = 'e';
    llllll = 'f';
    lllllll = 'g';
    llllllll = 'h';
    lllllllll = 'i';
    llllllllll = 'j';
    lllllllllll = 'k';
    llllllllllll = 'l';
    lllllllllllll = 'm';
    llllllllllllll = 'n';
    lllllllllllllll = 'o';
    llllllllllllllll = 'p';
    lllllllllllllllll = 'q';
    llllllllllllllllll = 'r';
    lllllllllllllllllll = 's';
    llllllllllllllllllll = 't';
    lllllllllllllllllllll = 'u';
    llllllllllllllllllllll = 'v';
    lllllllllllllllllllllll = 'w';
    llllllllllllllllllllllll = 'x';
    lllllllllllllllllllllllll = 'y';
    llllllllllllllllllllllllll = 'z';
    I = '1';
    II = '2';
    III = '3';
    IIII = '4';
    IIIII = '5';
    IIIIII = '6';
    IIIIIII = '7';
    IIIIIIII = '8';
    IIIIIIIII = '9';
    IIIIIIIIII = '0';
    li = '.';
    ii = '<';
    iii = '>';
    lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
    lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
    if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
        bye;
    }
    if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
        alert('access_denied');
        history.go(-1);
    } else {
        document.write('<font size=2 color=white>Join</font><p>');
        document.write('.<p>.<p>.<p>.<p>.<p>');
        document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll + '>');
        document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=5></td></tr>');
        document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + ' maxlength=10></td></tr>');
        document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
    }
 </script>

Well, good looking code isn’t it ? Here, the main things comes in the last if loop. It is always giving -1 and for that matter the condition is always exiting with a message access_denied. So what to do ? I simply copy pasted the else part to the console and executed in the context of that page and there, I saw the box to signup with a password. So I immideatly tried to signup for the name admin but it failed since admin already existed. So I tried to make something really near to admin line admin + a blank space so in total it becomes 6 characters but are very close to the name admin.

But when we executed the JavaScript, it limits the number of characters to 5 default. So I modified it into 6, tried signup with a small password and this time, it successfully signed up. Now I went to mem/login.php and it worked. Challenge solved !

The challenge was fun but a bit weird too. So how did you solve it ? If you solved the challenge in an easier way, do let me know. Let us share and learn :)

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE