Wednesday, September 12, 2012

Solution for bright-shadows.net : Exploit 02 Analyze This 1

Solution for bright-shadows.net : Exploit 02 Analyze This 1

This is the link to the original challenge http://www.bright-shadows.net/challenges/exploits/exploit_analyse1/index.php
However, you will need to register before you can make an attempt to solve this.


Tools Used: ---

This challenge is about Directory Traversals.

There are 2 scripts and the goal is to supply a input for the GET parameter of url so as to gain access to /user/www/index.php

Let's take a look at the first script
$url   = str_replace("../","",$_GET['url']);
$hfile = fopen("/user/www/challenges/$url", "r");
These 2 lines are the important part.

The script replaces all instances of "../" with "". As the fopen function starts in the challenges folder, you have to traverse 1 directory up to access the goal.

This filter can be easily bypassed by entering something like ".../...//index.php".
When the filter replaces the characters, the fopen function will open the following file:
/user/www/challenges/../index.php

Let's take a look at the second script
if((strpos($_GET['url'],"../") === false)
     AND (strpos($_GET['url'],"://") === false))){

     $hfile = fopen("$url", "r");
These 3 lines are the important part.

The script checks if the input contains any "../" or "://" character sequences. If there is, it displays an error page and aborts the opening of the file. In this case, we are unable to perform reverse directory traversal.

However, on a closer look, the fopen function directly uses the url parameter without any prefix or affix path. It is possible to get to the goal page by just entering the exact directory path "/user/www/index.php"

Enjoy =D

thegrayone

Solution for bright-shadows.net : Exploit 01 Easy Starter

Solution for bright-shadows.net : Exploit 01 Easy Starter

This is the link to the original challenge http://www.bright-shadows.net/challenges/exploit_long/index.php
However, you will need to register before you can make an attempt to solve this.


Tools Used: Tamper Data or Firefox Console

This is an easy warmup.

We are presented with a login page and a clue stating that the username should be at least 5 characters long but less than 20.

Let's try passing in invalid usernames.

Login with a username with less than 5 characters.
An alert box pops up saying that this is not the solution.




Next lets try logging in with a username which is more than 20 characters.
Here is where the problem is. The form input restricts the max length to 20 characters.

There is 2 ways to bypass this.

1)  Tamper Data

Tamper Data is a addon for Firefox. I highly recommend to install this addon as it will help with many of the exploit challenges on bright-shadows.net

Using Tamper Data, we can tamper the post parameters that are sent after the submit button is clicked.

2) Firefox Console

If you are using Firefox, you can bring up the Firefox console (Ctrl + Shift + K).

After which type the javascript command "document.forms[0].elements['input_user'].maxLength = 30;" into the console. This alters the html document and the form now allows you to enter up to 30 characters in the username field.

Using either method, submit a username that is longer than 20 characters and the resulting "error" page gives you the correct username and password to login with.

Enjoy =D

thegrayone

Tuesday, September 11, 2012

Solution for www.net-force.nl : Level 307 Sea Code


Solution for www.net-force.nl : Level 307 Sea Code

This is the link to the original challenge: http://www.net-force.nl/challenge/level307/

Quest:
Decode the code below and then you'll have the password for this level (password is lowercase).

- .... . .--. .- ... ... .-- --- .-. -.. ..-. --- .-. - .... .. ... .-.. . ...- . .-.. .. ... .-- . .-.. .-.. -.. --- -. .


This is quite easy. At first glance, we know that this is a morse code puzzle.
So let's use a Morse Code to Text translator.

I'm using this website's translator. :D

Using that i got back the following. :D
"THEPASSWORDFORTHISLEVELISWELLDONE"
So the password to this challenge is.
Password: "welldone"

Cheers
0x4a61636f62