HackIM2017 CTF -Web Challenges and solutions (part-2)

Solving a CTF is like addiction, you can’t possibly stop at 1. So i tried to submit the flag and it failed. There was a syntax to follow flag {…}. This was not very intuitive for me and there was a tweet from the nullcon handle. web2001

Solving Web200 Challenge!

web2002

So, the hint seems to indicate some aspect of users privileges and also something to do with the cookie.

web2003

Tried accessing the page with admin/admin and to my surprise, although we could get it. Stated “You do not possess enough power, Try Harder!” in the next page. So i reviewed the cookie field using tamper data and it had 2 values. U -> which seems to hint “user?” and “R”-> which seems to hint “Rights”?.. This was my assumption

web2008

The page also allowed creating of users and had a registration page. So i created a couple of users to figure out what the logic could be for creating /cough baking a British Biscuit!.

web2005

It appeared that value “351e766803” was a hard-coded value appended to a hash for both the fields and the “Rights” -> R field was common for all users.

web2006

So i looked up what “21232f297a57a5a743894a0e4a801fc3” meant, it was simply the MD5 hash for the username admin in md5(‘admin’) format.web2007

So that must be it!.. the Rights -> R field should be also “admin” to get “powers”. So replacing this value with the plugin tamper data, gave me the flag!! 2 flags Down!!

web2004

 

Published by Ramnath Shenoy

I work a penetration tester, this blog is just some of my personal notes!

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: