หน้าเว็บ

วันอาทิตย์ที่ 23 พฤศจิกายน พ.ศ. 2557

CSCamp CTF 2014: Brownies (Web) Write-up


Description:
Hint: think of default files when using source code management systems
Solution:
          

          Open http://178.63.58.69:8083/ and try to login several time but return Username or Password is invalid. I back to read a hint and focus "source code management systems", I maybe mean Github because I ever read some article about this How I stole source code with Directory Indexing and Git, I should request to /.git and found something.


          Try to login by user: ping and password: pong, response "Welcome ping" but not have a flag :/, Next step I look into a http header and found Cookies are so interest. Cookie: type=user; flag=df911f0151f9ef021d410b4be5060972; name=ping 
          In flag value (df911f0151f9ef021d410b4be5060972) after look this, I think this is MD5 because It have a-f0-9{32} and I should decrypt it!! on MD5 Decrypter


          Result is ping, It mean flag=md5(user) right? I back to read .git file and try encrypt "john" string to md5.

MD5 Encrypt: 

root@ubuntu:/tmp# echo -n "john" | md5sum
527bd5b5d689e2c32ae974c6229ff785  -
root@ubuntu:/tmp# 

          I back to read .git again admin: john, and in cookie value have type: user I should edit this value to admin (admin: john), I use Burp Suite to intercept and modify http request. Next step request with normal cookie and click Go.

          Not have a flag, I try to edit the cookie value to Cookie: type=admin; flag=527bd5b5d689e2c32ae974c6229ff785; name=john and click Go!!


         Finally I got a flag.!!

Flag: a012c434d1ec6db911fda4884de14fdd

ไม่มีความคิดเห็น:

แสดงความคิดเห็น