For this website I got reasonably excited about watching some grass grow, however after hearing that someone actually watched it grow all the way to the top and didn't actually win anything I gave up rapidly. After looking a little bit more at the source I established that nothing really interesting was happening. Therefore I moved on to intercepting the traffic for the username and password, which was being passed in a hashed version of the password.
As a result of this I wanted to find something that would break it, and noted that the one thing that it was checking for on the client side was that a password was actually existed, so therefore after I intercepted it with burpsuite I cleared the password out and submitted no password.
Once it submitted without the password, instead of the normal webpage, it returned the flag.
flag{gr0wth__h4ck!nG!1!1!
After a little bit more investigation, it looks like this used a server side strcmp, which meant that this was also vulnerable to making password an array (password[]=098f6bcd4621d373cade4e8627b4f6) returning the flag as well.
-bobson
No comments:
Post a Comment