damo.clanteam.com Security Challenge VI [Writeup]

alright this one is a tricky one . got some time for me to figure it out . so on first I spend about 1/2 hr trying to figure out what is happening . but when I saw a register page I got a feeling it has something to do with cookie  injection . so I started up Burp Suite and I logged in . all I had was a “PHPSESSID”  . I spend some time googling to see if there is anything up PHPSESSID . so almost everything was a dead end . but then when I was going trough Burp Suite history . I saw there were 2 deleted cookies when I was logging

1

those seemed like something to be concerned . after spending some time messing around . when I was logging in again . I ticked on  “Remember me” . so then I saw those two cookie parameters were saved in the session .

2

Now both parameters seems to be encrypted with base64 .so I used ruby to decode the base64

root@bt:~# echo “require ‘base64’; puts Base64.decode64(‘bnVrZTk5’)” | ruby
nuke99

so its the obvious answer my ‘nuke99′ (username) so I encoded username “admin’ or ‘x’=’x”  and replace the parameter “usernamesch6” value .

root@bt:~# echo “require ‘base64’; puts Base64.encode64(‘admin\’ or \’x\’=\’x’)” | ruby
YWRtaW4nIG9yICd4Jz0neA==

 

3

and now I’m logged in as the Admin. alright now goto the “members-only.php” and Submit your name with the replaced Admin session

5

 

Ok now cya until the next challenge

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s