webhacking.kr - 0ldzombie challenge writeup 1

Sep 2, 2015 • webchallenges, 0ldzombie

0ldzombie has a great collection of Webhacking challenges which ranges from very basic ones to some very advanced attacks. We really enjoyed playing the challenges and here are the writeups.

0ldzombie has a great collection of Webhacking challenges which ranges from very basic ones to some very advanced attacks. I must admit, I really enjoyed playing the challenges and I am putting up the writeup here on my blog.

Note: I am putting up the write up on my blog so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.

Let us look into the first challenge. As you can see, they show us a page named index.phps. Let us look at the content inside it:

1
2
3
4
5
6
7
8
9
10
11
12
13

<?
if(!$_COOKIE[user_lv])
{
SetCookie("user_lv","1");
echo("<meta http-equiv=refresh content=0>");
}

$password="????";
if(eregi("[^0-9,.]",$_COOKIE[user_lv])) $_COOKIE[user_lv]=1;
if($_COOKIE[user_lv]>=6) $_COOKIE[user_lv]=1;
if($_COOKIE[user_lv]>5) @solve();
echo("<br>level : $_COOKIE[user_lv]");
?>

As this is the first challenge, let us analyse how it works. Firstly, the if(!$_COOKIE[user_lv]) checks if a cookie named user_lv is already set. If not, it will create and set a new cookie with the value “1”.

The eregi() function is actually depreicated from PHP 5.3 but since this challenge has been created before PHP 5.3, it still uses the function. The function eregi("[^0-9,.]",$_COOKIE[user_lv]) will actually check if the value of cookie named user_lv has any characters other than numbers from 0 - 9 and “.”. If it encounters any other character, it resets the cookie value to one. You can read more about eregi in PHP manual.

$_COOKIE[user_lv]>=6 this will check if the cookie value is greater than 6 and if so, it resets again to 1. But from next line, $_COOKIE[user_lv]>5, we can understand that for the challenge to be completed, the value of cookie should be greater than 5 but less than 6.

Now, could you think of a solution ?

If you solved the challenge in an easier way, do let me know. Let us share and learn :)

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE