In came the User Agent Switcher browser extension that switched the user agent to “iPhone 4″, deceived this restriction and gained access to the site. Oh yea!
The site was actually a game simulator where you could create your own character by giving it a name. Each character started off with 150 points to be assigned to its 3 attributes (strength, dexterity and intelligence) depending on your preference. I named my character “wolf”.
Examination of the source code revealed two Javascripts and one of them (main.js) contained obfuscated code.
Contents of main.js:
The obfuscated code was easily deobfuscated by http://jsbeautifier.org/ :)
Line 18 of the above code revealed how URLs for each of the 3 pages (home.html, introduce.html, get_tag.html) were formed. The magic embedded within index.php produced wonders when the script was fed with those parameters – the source code was displayed on the screen! Repeated this step for the php pages (simulator.php, simulator_ok.php) and gathered several valuable hints to this challenge.
Contents of simulator.php:
- Line 15: if ($_POST['name'] == “GM”) die(“you can not view&save with ‘GM’”);
There was a restriction with using “GM” as the character name. GM probably stands for Game Master. - Line 17: $db = sqlite_open(“/var/game_db/gamesim_”.$_SESSION['scrap'].”.db”);
The path to the character database file! - Line 94: memo : <input type=’text’ name=’memo’ value=’<?php if (isset($row[0])) echo
gzuncompress($row['memo.memo']); ?>’ maxlength=32 />
Data contained within memo.memo must be uncompressed.
After the SQLite database file was extracted from the response, the next step was to write a script to read the contents from it. Recall from hint #3 above, memo.memo must be uncompressed in order to recover its original data.
Script to read database contents:
Key found! 500 points in the bag. Yay!
Cheers,
Braeburn Ladny
No comments:
Post a Comment