damo.clanteam.com Security Challenge VI [Writeup]

alright this one is a tricky one . got some time for me to figure it out . so on first I spend about 1/2 hr trying to figure out what is happening . but when I saw a register page I got a feeling it has something to do with cookie  injection . so I started up Burp Suite and I logged in . all I had was a “PHPSESSID”  . I spend some time googling to see if there is anything up PHPSESSID . so almost everything was a dead end . but then when I was going trough Burp Suite history . I saw there were 2 deleted cookies when I was logging

1

those seemed like something to be concerned . after spending some time messing around . when I was logging in again . I ticked on  “Remember me” . so then I saw those two cookie parameters were saved in the session .

2

Now both parameters seems to be encrypted with base64 .so I used ruby to decode the base64

root@bt:~# echo “require ‘base64’; puts Base64.decode64(‘bnVrZTk5’)” | ruby
nuke99

so its the obvious answer my ‘nuke99′ (username) so I encoded username “admin’ or ‘x’=’x”  and replace the parameter “usernamesch6” value .

root@bt:~# echo “require ‘base64’; puts Base64.encode64(‘admin\’ or \’x\’=\’x’)” | ruby
YWRtaW4nIG9yICd4Jz0neA==

 

3

and now I’m logged in as the Admin. alright now goto the “members-only.php” and Submit your name with the replaced Admin session

5

 

Ok now cya until the next challenge

damo.clanteam.com Security Challenge III [Writeup]

alright , this one is easy .  the challenge is on basic SQL Injection . In the challenge application there is a SQL injection vulnerability in member-info.php page . its a basic UNION based SQL injection , from there I used sqlmap to spice things up

vulnerable application URL is

http://damo.clanteam.com/sch3/member-info.php?id=1'+union+select+1,'nuke99',3,4,5+from+accounts--

 

2

so the password were encrypted with SHA1 encryption . for that I used a online hash database to get plain text password

3

and using “stanllone” as the user name and fire as the password I logged into the members area

that’s about it . see you soon guys

damo.clanteam.com Security Challenge II [Writeup]

I just completed the second challenge of damo.clanteam.com . it was really challenge to figure out what was the vulnerability . anyhow I’m not going to write how I did it because I  googled couldn’t find a single person who wrote a write up for it . but anyway I’m going to give a away a free tip

Key file is in

http://damo.clanteam.com/sch2/admin_key.txt

Rest of the challenge is up to you 😀

Have funn

damo.clanteam.com Security Challenge I [writeup]

hey fellas been a while since last post . anyway I saw this security challenge post on twitter thought of giving a shot . so this is the write-up post for the first challenge . its pretty easy actually .

the challenge is to login to admin area which is protected with .htpasswd .When we entered in to challenge there is a link to see people who completed the challenge . the first thing I noticed is the page URL which had index.php?page=halloffame . So my guess was either LFI or  SQLi . with a simple single quote I was able to identify the vulnerability is LFI because the error contented  

Warning: include(halloffame'.php)

also sine .php is added my index.php I guessed the code is something like

<?php
include($_GET['page'].".php");
?>

since there is a .php included in the end therefor I used null to comment it out . also since our target to get htpasswd file, I tried the first attempt with page=admin/.htpasswd% but it returned with no file . so my second guess was page=admin/.htaccess%00

c1-01

and it returned with

AuthType Basic AuthName "Restricted Access!" AuthUserFile /www/clanteam.com/d/a/m/damo/htdocs/hiddenfoldersch1/.htpasswd Require user damo

so now we know the path for .htpasswd file . so my next obvious step is to grab the .htpasswd file

C1-S2

since the password was encrypt I used john to crack the password

john --wordlist=/usr/share/wordlist/rockyou.txt htpasswd

and after the brute is sucessfull I got the password as

c1-s3

alright . see you soon guys