webhacking.kr - 0ldzombie challenge writeup 6

Jun 13, 2015 • webchallenges, 0ldzombie

0ldzombie has a great collection of Webhacking challenges which ranges from very basic ones to some very advanced attacks. We really enjoyed playing the challenges and here are the writeups.

So now we have reached level 6 and the journey till now was quite challenging but enjoyable. Challenges by 0ldzombie is much better than several other web hacking challenges out there. Each level teaches us so much new information. Let us hope the future challenges will be even better.

Note: I am putting up the write up so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.

The moment we open the challenge 6 page, first thing we see is the hint as base64. Well, base64 is an encoding and can be easily brought back to plain text. Also, the challenge page points us to index.phps. Let us see what is inside the source code:

<?php
if(!$_COOKIE[user])
{
    $val_id="guest";
    $val_pw="123qwe";

    for($i=0;$i<20;$i++)
    {
        $val_id=base64_encode($val_id);
        $val_pw=base64_encode($val_pw);

    }

    $val_id=str_replace("1","!",$val_id);
    $val_id=str_replace("2","@",$val_id);
    $val_id=str_replace("3","$",$val_id);
    $val_id=str_replace("4","^",$val_id);
    $val_id=str_replace("5","&",$val_id);
    $val_id=str_replace("6","*",$val_id);
    $val_id=str_replace("7","(",$val_id);
    $val_id=str_replace("8",")",$val_id);

    $val_pw=str_replace("1","!",$val_pw);
    $val_pw=str_replace("2","@",$val_pw);
    $val_pw=str_replace("3","$",$val_pw);
    $val_pw=str_replace("4","^",$val_pw);
    $val_pw=str_replace("5","&",$val_pw);
    $val_pw=str_replace("6","*",$val_pw);
    $val_pw=str_replace("7","(",$val_pw);
    $val_pw=str_replace("8",")",$val_pw);

    Setcookie("user",$val_id);
    Setcookie("password",$val_pw);

    echo("<meta http-equiv=refresh content=0>");
}
?>

<html>
<head>
<title>Challenge 6</title>
<style type="text/css">
body { background:black; color:white; font-size:10pt; }
</style>
</head>
<body>

<?

$decode_id=$_COOKIE[user];
$decode_pw=$_COOKIE[password];

$decode_id=str_replace("!","1",$decode_id);
$decode_id=str_replace("@","2",$decode_id);
$decode_id=str_replace("$","3",$decode_id);
$decode_id=str_replace("^","4",$decode_id);
$decode_id=str_replace("&","5",$decode_id);
$decode_id=str_replace("*","6",$decode_id);
$decode_id=str_replace("(","7",$decode_id);
$decode_id=str_replace(")","8",$decode_id);

$decode_pw=str_replace("!","1",$decode_pw);
$decode_pw=str_replace("@","2",$decode_pw);
$decode_pw=str_replace("$","3",$decode_pw);
$decode_pw=str_replace("^","4",$decode_pw);
$decode_pw=str_replace("&","5",$decode_pw);
$decode_pw=str_replace("*","6",$decode_pw);
$decode_pw=str_replace("(","7",$decode_pw);
$decode_pw=str_replace(")","8",$decode_pw);


for($i=0;$i<20;$i++)
{
    $decode_id=base64_decode($decode_id);
    $decode_pw=base64_decode($decode_pw);
}

echo("<font style=background:silver;color:black>&nbsp;&nbsp;HINT : base64&nbsp;&nbsp;</font><hr><a href=index.phps style=color:yellow;>index.phps</a><br><br>");
echo("ID : $decode_id<br>PW : $decode_pw<hr>");

if($decode_id=="admin" && $decode_pw=="admin")
{
    @solve(6,100);
}


?>

</body>
</html>

So what is happening here? The first time look at the source code can be a bit frightening for those who are not well versed with PHP but its very easy. Basically, they take the word guest and will base64 encode it continuously for 20 times. After that numbers from 1 - 8 in the strings are replaced with some characters as shown in the code. Then when they decode the cookie, they first change the characters back and will base64 decode 20 times to get the original string back. Then if the values of username and password are admin, then we have solved the challenge successfully. Since I love python very much, I wrote a simple program which gives us the username/password combination we need to use in the cookies:

#!/usr/bin/python3.4
# Written by Anirudh Anand (lucif3r) : email - [email protected]

# This is the solution to 0ldzombie's Webhacking.kr Challenge 6: Base64 cookie encoding
# The script uses requests library in python 3.4

import base64

__author__ = 'lucif3r'


class Challenge6:

    def __init__(self):
        print("[+] 0ldZombie challenge6: - Base64 Cookie decode \n")
        return

    def encode_cookie(self, username, password):

        for i in range(1, 21):
            username = base64.b64encode(username)
            password = base64.b64encode(password)

        replace = {'1': '!', '2': '@', '3': '$', '4': '^', '5': '&', '6': '*', '7': '(', '8': ')'}

        username = self.replace_all(username, replace)
        password = self.replace_all(password, replace)

        self.print_all(username, password)
        return

    def replace_all(self, string, replace):
        """
        This function will take a dictionary as an input and replaces the values with its keys in the
        strings.

        :param string:       ->     The string which should be used to replace characters.
        :param replace:      ->     A dictionary which contains the words to be replaced with their keys
        :return:
        """
        for i, j in replace.iteritems():
            string = string.replace(i, j)

        return string

    def print_all(self, username, password):
        print("[+] Encoded username to be set as cookie is: \n \n" + username)
        print("\n[+] -------------------------------------------------------------------------------------------[+] \n")
        print("[+] Encoded password to be set as cookie is: \n \n" + password)
        return


def main():
    challenge6 = Challenge6()
    challenge6.encode_cookie('admin', 'admin')
    return

if __name__ == '__main__':
    main()

Grab the script from Github

Now as you know the value of username/password combination to use. Simply modify the cookie value to what we have generated and the problem will be solved. If you solved the challenge in an easier way, do let me know. Let us share and learn :)

Anirudh Anand

Web Application Security ♥ | Google, Microsoft, Zendesk Security Hall of Fames | Blogger by chance | CTF lover | Certifications - eWDP