26 lines
1.0 KiB
Markdown
26 lines
1.0 KiB
Markdown
|
# Break The Gate (1-5)
|
||
|
|
|
||
|
|
## Description
|
||
|
|
Different for each challenge
|
||
|
|
|
||
|
|
## Deployment
|
||
|
|
Place on server, write-protect `secret-database.db`
|
||
|
|
|
||
|
|
## Difficulty
|
||
|
|
*Easy*
|
||
|
|
|
||
|
|
## Solution
|
||
|
|
Per challenge, after a succesful login a cookie with the flag will apear.
|
||
|
|
1. Login details are as comment in the html
|
||
|
|
2. Login details are in a JavaScript dictionary calles `userDb`. In console you can print this variable, or you can open `script/ssdb.js`.
|
||
|
|
3. An sql-injection will get you in. Example: `" OR 1=1;` as password
|
||
|
|
4. As there are only 1000 possible combination, brute-force should go pretty fast. You can write a simple Pythin-program that sends request to [challenge-url]/4.php?try=[0->999] and compare results. (Correct code was 732)
|
||
|
|
5. The login details were send over http, meaning they were in plain text in the pcap file (open the pcap file and check the last packet)
|
||
|
|
|
||
|
|
## Flag
|
||
|
|
* IGCTF{ThatWasNotSoHard}
|
||
|
|
* IGCTF{StopHackingMySitePrettyPlease}
|
||
|
|
* IGCTF{AllHailOurLordAndSaviourPHP}
|
||
|
|
* IGCTF{I_may_have_made_this_challenge_last_night}
|
||
|
|
* IGCTF{KgonnaGoToSleepnow_Bye}
|