Quiz 1:
Once again, it’s a horrible thing if you cannot get
past the entry level on your own. =)
Quiz 2:
This one requires you to modify the cookie that the
server sends back. Telnet to
quiz.ngsec.biz:8080 and type the URL and parameters for any login. It will send back a cookie, that is ALWAYS
the same. Note that it also says “Welcome
GUEST”. This is the key hint. Compare the name “GUEST” to the provided
cookie. In the cookie, and ASCII/HEX
jockey will recognize %3D which is the “=” symbol. Hence, we have a cookie that says “something=something”. Such as:
HTTP/1.1 200 OK
Date: Fri, 15 Aug 2003 04:00:36 GMT
Server: Apache
Set-Cookie: Credentials=hfre%3Dthrfg
Examining the cookie we see:
%3D = '='
hfre=user (13 character shift)
thrfg=guest (13 character shift)
But in order to follow the “link” provided after
logging in with “any” username, it says you must be recognized as “admin”. So, enter any username and password, then
click submit. You receive the generic
"guest" cookie. Modify the
cookie to become "Credentials=hfre%3Dnqzva" which keeps the same
password, but changes the username to "admin" (nqzva=admin with 13
char shift). Submit this cookie when
you follow the link to login and advance to the next level. You can submit this cookie either manually
through a telnet, or use the handy-dandy @Stack WebProxy, which
allows you to modify the headers, parameters, and cookies on the fly. Thanks to Haroon Meer at SensePost for showing
me this incredible time-saving utility.
Quiz 3:
Use wget to retrieve Base64
encoder/decoder. Unzip, un-tar, and
"./configured;make;make install"
[root@orc /tmp]# base64 -d
CgokdmFsaWRfbG9naW49ZzAwcjAwOwokdmFsaWRfcGFzcz10cmVuZDsKCmlmICgoJGxvZ2luPT0kdmFs
aWRfbG9naW4pICYmICgkcGFzc3dvcmQ9PSR2YWxpZF9wYXNzKSkgewogICAkYXV0aGVudGljYXRlZD0x
OwogICB9IGVsc2UgewogICAkYXV0aGVudGljYXRlZD0wOwogICB9CgoK
^D
$valid_login=g00r00;
$valid_pass=trend;
if (($login==$valid_login) &&
($password==$valid_pass)) {
$authenticated=1;
} else {
$authenticated=0;
}
Password and login are now visible for all to abuse. Go to the login page and advance to the next
level.
Quiz 4:
View the HTML source. Use wget or simply type the path to download
"PasswordAuth.class". Then go
to SourceForge and get the Jrevpro,
which is a Java Source Decompiler.
Execute "jrevpro -i PasswordAuth.class"
if (texto.getText().equals("String"))
Use this password "String" to login and
complete this challenge.
Quiz 5:
More to come, when I find the time….